Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Instresting practises of Oracle [Oracle Webserver]

From: hurtta+zz () OZONE FMI FI (hurtta+zz () OZONE FMI FI)
Date: Fri, 19 Sep 1997 09:48:59 +0300

Hello,

Perhaps following is intresting.


Software:    Oracle Webserver 2.1
             Oracle Webserver 1.0 (included to Oracle7 Server and Oracle7 Workgroup Server)


Conclusion:  You should use same criteria for decide who got password for oracle account
             than you use to decide who got password for root account.


Backgroud:   1) Oracle Webserver comes as setuid root
             2) Configuration files and software tree is owned by
                oracle account.

Effects:     That allows oracle account to do control
             what is normally left to root account:


             1) oracle account can select under what account
                Oracle Webserver operates (by editing configuration
                file).

             2) Oracle Webserver 2.1 opens log file as root
                so oracle account can append to any file
                (by editing configuration file).


             Notice that even if 2) is bug, that is irrelevent
             because 1) supersedes that (and that looks planned
             feature.)

/ Kari Hurtta
Previous By Date Next
Previous By Thread Next

Current thread: