Bugtraq mailing list archives
Oracle 8i questions
From: btellier () USA NET (Brock Tellier)
Date: Tue, 23 Nov 1999 15:37:43 MST
After talking to the people in Oracle's security group, I've realized that it is impossible to get an answer regarding what programs in particular are still setuid-anything/setgid-anything in the latest versions of Oracle with all the supported patches installed. When I take a look at the Oracle-provided remove-suid-bits-script, I notice: EXECS_NOT_TO_UNSET="oracle dbsnmp" Which makes it so that my exploit (for dbsnmp) and all others involving dbsnmp will still work. What do the newer patches do to prevent the problems of old? From what I've read on the Oracle support page, the "oracle" program MUST be setuid-oracle if it is in a multi-user environment, and doesn't that have just as many file-access problems as dbsnmp? Brock Tellier UNIX Systems Administrator Organic Inc. www.organic.com USA, IL, Chicago ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
Current thread:
- Netscape communicator 4.x Javascript security flaw, (continued)
- Netscape communicator 4.x Javascript security flaw Ahmed Ghandour (Nov 24)
- Re: Netscape communicator 4.x Javascript security flaw Metal Hurlant (Nov 26)
- Re: Netscape communicator 4.x Javascript security flaw Ahmed Ghandour (Nov 26)
- Windows NT 4.0 Service Pack 6A Breaks IP Forwarding Brendan Howes (Nov 25)
- Oracle Web Listener Mnemonix (Nov 25)
- [w00giving '99 #6]: UnixWare 7's Xsco Matt Conover (Nov 25)
- Re: Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper) Mark Seiden (Nov 24)
- Netscape Communicator 4.7 - Navigator Overflows Mike Boto (Nov 24)
- BindView Security Advisory: SSR Denial of Service BindView Security Advisory (Nov 24)
- Re: BindView Security Advisory: SSR Denial of Service Alan Cox (Nov 24)
- Oracle 8i questions Brock Tellier (Nov 23)
- Printer Vulnerabilities (Tektronix and JetDirect) Elias Levy (Nov 23)
- Re: local users can panic linux kernel (was: SuSE syslogd advisory) Darren Reed (Nov 20)
- Re: local users can panic linux kernel (was: SuSE syslogd advisory) Cy Schubert - ITSD Open Systems Group (Nov 23)
- Re: local users can panic linux kernel (was: SuSE syslogdadvisory) Jefferson Ogata (Nov 23)
- Re: local users can panic linux kernel (was: SuSE syslogdadvisory) Shafik Yaghmour (Nov 23)
- Re: local users can panic linux kernel (was: SuSE syslogdadvisory) Olaf Kirch (Nov 24)
- Re: local users can panic linux kernel (was: SuSE syslogdadvisory) Goetz Babin-Ebell (Nov 24)
- more about IP ID antirez () INVECE ORG (Nov 20)
- FreeBSD sysinstall Jonas Eriksson (Nov 20)
- Re: local users can panic linux kernel (was: SuSE syslogd advisory) Malcolm Beattie (Nov 22)