Newsgroups: comp.databases.oracle
From: Rich Cannon <Rich.Cannon@ColumbiaSC.NCR.COM>
Subject: Re: ps shows user/password under Unix - SUMMARY
Message-ID: <CKLwJ5.4rt@ncrcae.ColumbiaSC.NCR.COM>
Sender: news@ncrcae.ColumbiaSC.NCR.COM (news)
Reply-To: Rich.Cannon@ColumbiaSC.NCR.COM
Organization: AT&T/GIS CSM&D - Columbia
X-Newsreader: DiscussIT for MS Windows [AT&T/NCR Software Products Division]
References:  <1994Jan25.164014.10370@exlog.com>
Date: Wed, 2 Feb 1994 16:59:29 GMT
Lines: 33


>In article <1994Jan25.164014.10370@exlog.com> Lee Parsons writes: 
>A number of people contacted me regarding thier experiences with 
>the ps command revealing username password combinations. With only
>one exception all systems that did reveal the password are ATT 
>based systems and those that did not are BSD. 
>
>(I think the one exception was a communcation error on my part.
> It contradicts my direct experence and is noted below.)
>
>Apparently under ATT derived systems the process information shown 
>by ps is owned by the kernel while under BSD ps shows the user's
>verson of the process list. Therefor oracle is unable to change
>the process list under ATT because it doesn't have the write 
>access required. 
>

On our NCR box (with AT&T unix) we have two versions of ps one with restricted 
access (/usr/sbin) and one with root access (/usr/bin).  By using the restricted 
ps we have eliminated this security hole.  





******************************************************
* Rich Cannon -- AT&T GIS CSM&D Columbia  *

* DUKE '92  -- Now an Oracle Hostage           *

******************************************************