Xref: alice comp.databases.oracle.misc:32922 comp.databases.oracle.tools:26053 Path: alice!news-feed.fnsi.net!netnews.com!news.maxwell.syr.edu!newsfeed.enteract.com!ultraneo.neosoft.com!uuneo.neosoft.com!Starbase.NeoSoft.COM!not-for-mail From: claird@Starbase.NeoSoft.COM (Cameron Laird) Newsgroups: comp.lang.tcl,comp.databases.oracle.misc,comp.databases.oracle.tools Subject: Re: oratcl compormises security? Date: 6 Jun 1999 19:52:48 -0500 Organization: NeoSoft, Inc. +1 713 968 5800 Lines: 52 Message-ID: <7jf550$lc3$1@Starbase.NeoSoft.COM> References: <928713630.147233@iris.nyx.net> In article <928713630.147233@iris.nyx.net>, Tom Poindexter wrote: . . . >Oratcl has no backdoor, or other security problems. Period. > >Please check the source for yourself if you're in doubt. Oratcl has >always been open sourced software, and thousands of users use Oratcl >everyday without security problems. > >Oracle Corporation uses Tcl and a modified Oratcl extension in their >Oracle Enterprise Manager product. Oracle developers have not >offered to make their modifications public, nor have I seen those >modifications either, which according to Oratcl's BSD-style license, is >perfectly acceptable. > >The problem is that Oracle ships the tcl/oratcl interpreter as set-id to >'root' in some installations. Furthermore, the exectuable file permissions >allows execution by any user. (rwsr-x-r-x) > >This is obliviously a security breach, since a simple Tcl interpreter has the >ability to read/write files, exec other programs, etc., just as any ordinary >shell such as /bin/sh, /bin/ksh, /bin/csh, etc. Any user can exec the >oratclsh interpreter, and as set-id 'root', have instant access to >anything on the system. > >I would appreciate the names of the trade publications that have pointed to >Oratcl as a secutiry fault so that I can set the record straight. . . . Let me be clear on this: there's no particular Tcl content to the situation; any sufficiently potent processor configured this way would present the same vulnerabilities, right? So: why the hazardous suid? Is there a fundamental lacuna in Tcl's programming model (it doesn't do all the Perlish tainting calculations, something like that), or is this just a manifestation of what your buddy Bob Gray explains is the default corporate policy [which] tends to favor shipping products with all features enabled, at the expense of security ? -- Cameron Laird http://starbase.neosoft.com/~claird/home.html claird@NeoSoft.com +1 281 996 8546 FAX