Bugtraq mailing list archives
Instresting practises of Oracle [Oracle Webserver]
From: hurtta+zz () OZONE FMI FI (hurtta+zz () OZONE FMI FI)
Date: Fri, 19 Sep 1997 09:48:59 +0300
Hello, Perhaps following is intresting. Software: Oracle Webserver 2.1 Oracle Webserver 1.0 (included to Oracle7 Server and Oracle7 Workgroup Server) Conclusion: You should use same criteria for decide who got password for oracle account than you use to decide who got password for root account. Backgroud: 1) Oracle Webserver comes as setuid root 2) Configuration files and software tree is owned by oracle account. Effects: That allows oracle account to do control what is normally left to root account: 1) oracle account can select under what account Oracle Webserver operates (by editing configuration file). 2) Oracle Webserver 2.1 opens log file as root so oracle account can append to any file (by editing configuration file). Notice that even if 2) is bug, that is irrelevent because 1) supersedes that (and that looks planned feature.) / Kari Hurtta
Current thread:
- CERT Advisory CA-97.23 - rdist Aleph One (Sep 16)
- Re: CERT Advisory CA-97.23 - rdist Theo de Raadt (Sep 16)
- Fake ps detection program (system V and /proc enabled machines) Duncan Simpson (Sep 16)
- Java/JavaScript DoS Ian McKellar (Sep 16)
- Re: Fake ps detection program (system V and /proc enabled David Luyer (Sep 16)
- Re: CERT Advisory CA-97.23 - rdist Perry E. Metzger (Sep 16)
- Re: CERT Advisory CA-97.23 - rdist Alex (Sep 16)
- [IPD] Internet Probe Droid balif (Sep 16)
- Re: [IPD] Internet Probe Droid Keith A. Watson (Sep 18)
- Instresting practises of Oracle [Oracle Webserver] hurtta+zz () OZONE FMI FI (Sep 18)
- Redir games with ARP and ICMP Yuri Volobuev (Sep 19)
- Re: Redir games with ARP and ICMP Alan Cox (Sep 19)
- Re: Redir games with ARP and ICMP Ulrich Flegel (Sep 20)
- Blind Spoofing System Crasher (Sep 20)
- SunOS4.1.X sockopt panic HAKNER JEFF (Sep 20)
- Re: Redir games with ARP and ICMP John Goerzen (Sep 22)
- Fake ps detection program (system V and /proc enabled machines) Duncan Simpson (Sep 16)
- Re: CERT Advisory CA-97.23 - rdist Theo de Raadt (Sep 16)
- Re: CERT Advisory CA-97.23 - rdist Simon Karpen (Sep 16)
- Sun Security Bulletin #00154 Aleph One (Sep 17)