Instresting practises of Oracle [Oracle Webserver]

hurtta+zz@OZONE.FMI.FI
Fri, 19 Sep 1997 09:48:59 +0300

Hello,

Perhaps following is intresting.

Software: Oracle Webserver 2.1
Oracle Webserver 1.0 (included to Oracle7 Server and Oracle7 Workgroup Server)

Conclusion: You should use same criteria for decide who got password for oracle account
than you use to decide who got password for root account.

Backgroud: 1) Oracle Webserver comes as setuid root
2) Configuration files and software tree is owned by
oracle account.

Effects: That allows oracle account to do control
what is normally left to root account:

1) oracle account can select under what account
Oracle Webserver operates (by editing configuration
file).

2) Oracle Webserver 2.1 opens log file as root
so oracle account can append to any file
(by editing configuration file).

Notice that even if 2) is bug, that is irrelevent
because 1) supersedes that (and that looks planned
feature.)

/ Kari Hurtta