|
|
Oracle 8 File Access Vulnerabilities
Solution: You can obtain a patch to fix this and other potential security vulnerabilities from Oracle MetaLink webpage at http://www.oracle.com/support/elec_sup. You will find the patch attached bellow. Oracle claims it will be fixed in Oraclei 8.1.6 and Oracle8 8.0.6. -- cut here -- setuid_patch.sh #!/bin/sh # # NAME # setuid_patch.sh # # DESCRIPTION # Provided as a patch to 8.0.X and 8.1.5 to fix bugs 701297, 714293. # These bugs introduce a security hole by changing the permissions # to affect the effective user id for executables which should not # be set this way. # # PRECONDITIONS # if ORACLE_HOME is not set, doesn't exist, or points to an # invalid location, script exits. # # HOW TO USE # This script must be run as the oracle user who installed the 8.0.3 # 8.0.4, 8.0.5 or 8.1.5 software. # # To run, change directories into the the directory that contains this # file. # % cd <patch_location_directory> # # Add execute permission to the patch. # % chmod 744 setuid_patch.sh # # Then, invoke the script. # % ./setuid_patch.sh # # MODIFIED (MM/DD/YY) # menash 5/3/99 Initial creation ##--------------------- ## VARIABLE DEFINITIONS #----------------------------- # potentially platform specific variables CHMOD="/bin/chmod" FIND="/bin/find" CHMOD_S="$CHMOD -s" # remove set id bit RM_F="/bin/rm -f" LS_L="/bin/ls -l" LS_N="/bin/ls -n" # gives uid number for owner SED="/bin/sed" AWK="/bin/awk" GREP="/bin/grep" GREP_C="$GREP -c" GREP_V="$GREP -v" MV="/bin/mv" TMP_DIR="/tmp" EXECS_TO_UNSET="lsnrctl oemevent onrsd osslogin tnslsnr tnsping trcasst trcroute +cmctl cmadmin cmgw names namesctl otrccref otrcfmt otrcrep otrccol oracleO" EXECS_NOT_TO_UNSET="oracle dbsnmp" EXECS_TO_REMOVE="oratclsh osh" LIKELY_SUFFIXES="0 O" ROOT_SH_815="$ORACLE_HOME/root.sh" ROOT_SH_805="$ORACLE_HOME/orainst/root.sh" if [ x${ORACLE_HOME} = x ] -o [ ${ORACLE_HOME} = "" ] ; then echo "ORACLE_HOME is either unset or empty." echo "Exiting ..." exit 1 fi #-------------- # usage message SCRIPTNAME=setuid_patch.sh USAGE="Usage: $SCRIPTNAME [-h]" if [ $# -gt 1 ] ; then echo echo $USAGE exit 2 fi ##-----------# ## FUNCTIONS # ##-----------# # ---------- # setuid_off # Assumes executable is in $ORACLE_HOME/bin # # Usage: setuid_off <executable> #------------ setuid_off () { exe=$1 full_path_exe=$ORACLE_HOME/bin/$exe if [ -r $full_path_exe ] ; then perm=`$LS_L $full_path_exe | $SED 's;r-.*;;'` if [ $perm = "-rws" ] ; then $CHMOD_S $full_path_exe echo " removing set-ID from $full_path_exe" fi fi } #----------- # remove_exe # Assumes executable is in $ORACLE_HOME/bin # Removes if owned by root, otherwise, calls setuid_off # Usage: remove_exe <executable> remove_exe () { full_path_exe=$ORACLE_HOME/bin/$1 if [ -r $full_path_exe ] ; then owner=`$LS_N $full_path_exe | $AWK '{print $3}'` if [ $owner = "0" ] ; then $RM_F $full_path_exe echo " removing $full_path_exe..." else setuid_off $1 fi fi } #----------- # search_for_others # # Finds other executables n $ORACLE_HOME/bin which have 4000, 6000, # or 2000 permissions except for those we expects, and warns the # user that they should be removed manually # Usage: search_for_others search_for_others () { all_others="`$FIND $ORACLE_HOME/bin -perm -2000`" others="" if [ x"${all_others}" != x ] ; then for other in $all_others; do match="false" for exe in $EXECS_NOT_TO_UNSET; do if [ $other = $ORACLE_HOME/bin/$exe ] ; then match="true" fi done if [ $match = "false" ] ; then others="$others $other" fi done if [ x"${others}" != x ] ; then echo "The following executables remain with set-ID." echo "You may need to change the permissions manually:" for executable in $others; do echo " $executable" done fi fi } #-------- # remove_from_root_sh # For each parameter it is passed, remove_from_root_sh removes all # lines with references to that string. # Usage: remove_from_root_sh [ string1, string2, etc. ] remove_from_root_sh () { strings=$* tmp_file="root.sh.$$" $RM_F $TMP_DIR/$tmp_file for string in $strings; do if [ `$GREP_C $string $ROOT_SH` != "0" ] ; then echo " removing $string from $ROOT_SH" fi $GREP_V $string $ROOT_SH > $TMP_DIR/$tmp_file $MV $TMP_DIR/$tmp_file $ROOT_SH done } ################ # MAIN EXECUTION ################ # Turn setuid bit off for the appropriate executables and their # likely backups for exe in $EXECS_TO_UNSET; do setuid_off $exe for suf in $LIKELY_SUFFIXES; do setuid_off $exe$suf done done # Remove files entirely which should be removed for exe in $EXECS_TO_REMOVE; do remove_exe $exe done # Determine version -- 8.0.5 or 8.1.5 # Backup existing root.sh into root.sh.old, removing references # to EXECS_TO_REMOVE if [ -r $ROOT_SH_805 ] ; then ROOT_SH=$ROOT_SH_805 else if [ -r $ROOT_SH_815 ] ; then ROOT_SH=$ROOT_SH_815 else echo "No root.sh found in $ORACLE_HOME" fi fi if [ x${ROOT_SH} != x ] ; then remove_from_root_sh $EXECS_TO_REMOVE fi # Check one last time to see if any setuid executables are left search_for_others |
|
Privacy Statement |