![[LWN Logo]](/images/lwn.banner.gif)
Date: Sun, 5 Mar 2000 18:32:06 -0800 From: Keyser Soze <ksoze@OBSCURITY.ORG> Subject: Oracle installer problem To: BUGTRAQ@SECURITYFOCUS.COM -----BEGIN PGP SIGNED MESSAGE----- greetings, During the installation of Oracle 8.1.5.0.1 for Linux the installer creates the directory /tmp/orainstall (owned by oracle:dba, mode 711). Inside that directory it creates a shell script called orainstRoot.sh (mode 777). After that, the installer stops and asks you to run this script as root. There are two big problems here: 1. The installer blindly writes to orainstRoot.sh without checking if it exists, is a regular file or if it is even owned by oracle. An attacker may be able to use this to gain access to the oracle account by creating a .rhosts or .ssh/authorized_keys in oracle's home directory. After that they could connect to your database as INTERNAL... 2. Any user can run shell commands as root by editing orainstRoot.sh before root executes it. I don't recommend installing Oracle on machines with user accounts, but if you must you can eliminate this problem by creating /tmp/orainstall/ with proper permissions before you run the installer. So, for a typical installation: mkdir /tmp/orainstall chmod 700 /tmp/orainstall chown oracle:dba /tmp/orainstall (note: I found this using an 8.1.5i for Linux/Intel CD that Oracle shipped me last week. The part number is F54997-01.) ksoze -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOMMYrHEQwXQ+axAxAQHBEgQAgXsynBhLUcQivZSIuel2ykzMyW7m8a0o RFi6xHDqJoK4s6Fedtx732QY780wh1UhIHsW45UP+MQKr7Q56BTGNfSmp+AXm2Mj bMkyya0Cf/MkQa57HXLsKBLxQhJPCsXoM7adUd2fHC6W4pcT4sUrvB6g8axXXJqd iQsG1Tku9f0= =mvvI -----END PGP SIGNATURE-----