Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Project lockdown - opinion solicitation

Re: Project lockdown - opinion solicitation

From: joel garry <joel-garry_at_home.com>
Date: Mon, 27 Aug 2007 10:56:30 -0700
Message-ID: <1188237390.139619.291830@x35g2000prf.googlegroups.com> 





On Aug 26, 5:27 pm, HansF <fuzzy.greybe..._at_gmail.com> wrote:


> On Aug 24, 11:31 am, EdStevens <quetico_..._at_yahoo.com> wrote:

>

> > On advice last week, I have downloaded the "Project Lockdown" document

> > and begun reviewing it.  I get a very uneasy feeling about his

> > suggestion to remove the SUID bit from the Oracle executables.

>

> I don't quite understand why people are scared of setUID without

> defining the context.  SUID to ROOT - yes, that is dangerous, but SUID

> to Oracle?

>

> The SUID--oracle capability says "people do not need to log on to

> Oracle userid to be able to administer the Oracle environment.  We can

> log and audit that external usage very well both at the OS and the

> Oracle level and this way we also have non-repudiation by ensuring

> that all administrators use their own account."




Doesn't it also mean that anyone running anything that has the bit set
is allowed to do things as thought they have the security of the thing
that is set?  So, if Oracle has the ability to do things that ordinary
users are not allowed to do, doesn't that possibly allow someone to
abuse that?  The possibilities become legion.  Unlikely for a small
site, but any time you have something desireable enough out of the
entire population of Oracle sites, it might be worthwhile for someone
to find any little hole and then propagate it.  That's what all those
security updates are about, eh?  For example, someone figured out a
buffer overflow exploit for CMAN, which would then allow a
sophisticated malicious user to bootstrap into doing anything as the
oracle user/group, which means control of the entire database.  Then
someone found a buffer exploit in the listener.  Then 9 and 10 were
released and people are still finding things.



Social engineering is a lot easier, of course.



Oh, they haven't given me a login and the admin is out fishing with
management, would you please log me into your account?  I need to fix
the corrupted extproc executable, bug 6329586.



>

> It seems to me that the people making the recommendations might be

> using the "I heard about this and therefore it must be bad" decision

> making process rather than understanding the technology involved.  As

> with all Rules of Thumb - if the assumptions are not known, then it is

> easy for the rule to slide to rot.

>

> (I'd almost be willing to bet it's an auditor recommendation around

> SOX.)


>

> /Hans



--
@home.com is bogus.
http://www.signonsandiego.com/uniontrib/20070825/news_1b25energy.html


Received on Mon Aug 27 2007 - 12:56:30 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US