|
|
Oracle 8 oratclsh Suid Vulnerability
Solution: You can obtain a patch to fix this and other potential security vulnerabilities from Oracle MetaLink webpage at http://www.oracle.com/support/elec_sup. You will find the patch attached bellow. You can also not install the Internet Agent option or turn off the suid bit in the oratclsh program manually. Oracle claims it will be fixed in Oracle8 8.1.6 and Oracle8 8.0.6. -- cut here -- setuid_patch.sh #!/bin/sh # # NAME # setuid_patch.sh # # DESCRIPTION # Provided as a patch to 8.0.X and 8.1.5 to fix bugs 701297, 714293. # These bugs introduce a security hole by changing the permissions # to affect the effective user id for executables which should not # be set this way. # # PRECONDITIONS # if ORACLE_HOME is not set, doesn't exist, or points to an # invalid location, script exits. # # HOW TO USE # This script must be run as the oracle user who installed the 8.0.3 # 8.0.4, 8.0.5 or 8.1.5 software. # # To run, change directories into the the directory that contains this # file. # % cd <patch_location_directory> # # Add execute permission to the patch. # % chmod 744 setuid_patch.sh # # Then, invoke the script. # % ./setuid_patch.sh # # MODIFIED (MM/DD/YY) # menash 5/3/99 Initial creation ##--------------------- ## VARIABLE DEFINITIONS #----------------------------- # potentially platform specific variables CHMOD="/bin/chmod" FIND="/bin/find" CHMOD_S="$CHMOD -s" # remove set id bit RM_F="/bin/rm -f" LS_L="/bin/ls -l" LS_N="/bin/ls -n" # gives uid number for owner SED="/bin/sed" AWK="/bin/awk" GREP="/bin/grep" GREP_C="$GREP -c" GREP_V="$GREP -v" MV="/bin/mv" TMP_DIR="/tmp" EXECS_TO_UNSET="lsnrctl oemevent onrsd osslogin tnslsnr tnsping trcasst trcroute +cmctl cmadmin cmgw names namesctl otrccref otrcfmt otrcrep otrccol oracleO" EXECS_NOT_TO_UNSET="oracle dbsnmp" EXECS_TO_REMOVE="oratclsh osh" LIKELY_SUFFIXES="0 O" ROOT_SH_815="$ORACLE_HOME/root.sh" ROOT_SH_805="$ORACLE_HOME/orainst/root.sh" if [ x${ORACLE_HOME} = x ] -o [ ${ORACLE_HOME} = "" ] ; then echo "ORACLE_HOME is either unset or empty." echo "Exiting ..." exit 1 fi #-------------- # usage message SCRIPTNAME=setuid_patch.sh USAGE="Usage: $SCRIPTNAME [-h]" if [ $# -gt 1 ] ; then echo echo $USAGE exit 2 fi ##-----------# ## FUNCTIONS # ##-----------# # ---------- # setuid_off # Assumes executable is in $ORACLE_HOME/bin # # Usage: setuid_off <executable> #------------ setuid_off () { exe=$1 full_path_exe=$ORACLE_HOME/bin/$exe if [ -r $full_path_exe ] ; then perm=`$LS_L $full_path_exe | $SED 's;r-.*;;'` if [ $perm = "-rws" ] ; then $CHMOD_S $full_path_exe echo " removing set-ID from $full_path_exe" fi fi } #----------- # remove_exe # Assumes executable is in $ORACLE_HOME/bin # Removes if owned by root, otherwise, calls setuid_off # Usage: remove_exe <executable> remove_exe () { full_path_exe=$ORACLE_HOME/bin/$1 if [ -r $full_path_exe ] ; then owner=`$LS_N $full_path_exe | $AWK '{print $3}'` if [ $owner = "0" ] ; then $RM_F $full_path_exe echo " removing $full_path_exe..." else setuid_off $1 fi fi } #----------- # search_for_others # # Finds other executables n $ORACLE_HOME/bin which have 4000, 6000, # or 2000 permissions except for those we expects, and warns the # user that they should be removed manually # Usage: search_for_others search_for_others () { all_others="`$FIND $ORACLE_HOME/bin -perm -2000`" others="" if [ x"${all_others}" != x ] ; then for other in $all_others; do match="false" for exe in $EXECS_NOT_TO_UNSET; do if [ $other = $ORACLE_HOME/bin/$exe ] ; then match="true" fi done if [ $match = "false" ] ; then others="$others $other" fi done if [ x"${others}" != x ] ; then echo "The following executables remain with set-ID." echo "You may need to change the permissions manually:" for executable in $others; do echo " $executable" done fi fi } #-------- # remove_from_root_sh # For each parameter it is passed, remove_from_root_sh removes all # lines with references to that string. # Usage: remove_from_root_sh [ string1, string2, etc. ] remove_from_root_sh () { strings=$* tmp_file="root.sh.$$" $RM_F $TMP_DIR/$tmp_file for string in $strings; do if [ `$GREP_C $string $ROOT_SH` != "0" ] ; then echo " removing $string from $ROOT_SH" fi $GREP_V $string $ROOT_SH > $TMP_DIR/$tmp_file $MV $TMP_DIR/$tmp_file $ROOT_SH done } ################ # MAIN EXECUTION ################ # Turn setuid bit off for the appropriate executables and their # likely backups for exe in $EXECS_TO_UNSET; do setuid_off $exe for suf in $LIKELY_SUFFIXES; do setuid_off $exe$suf done done # Remove files entirely which should be removed for exe in $EXECS_TO_REMOVE; do remove_exe $exe done # Determine version -- 8.0.5 or 8.1.5 # Backup existing root.sh into root.sh.old, removing references # to EXECS_TO_REMOVE if [ -r $ROOT_SH_805 ] ; then ROOT_SH=$ROOT_SH_805 else if [ -r $ROOT_SH_815 ] ; then ROOT_SH=$ROOT_SH_815 else echo "No root.sh found in $ORACLE_HOME" fi fi if [ x${ROOT_SH} != x ] ; then remove_from_root_sh $EXECS_TO_REMOVE fi # Check one last time to see if any setuid executables are left search_for_others |
|
Privacy Statement |