SUID Tips

Another important fact must be taken into account while examining these files. Most of the above files may have a file named after them, but with the numeral zero. For example, there could be a file called dbsnmp0, in addition to dbsnmp. When a new version is built, Oracle copies the old file dbsnmp to dbsnmp0, and recreates the dbsnmp file.

This is done to ensure that in case the new file building fails, the old file dbsnmp0 can be renamed to dbsnmp and still be used. The old file dbsnmp0 still exists with the suid bit on. This could be an important security hole exploited by a potential hacker. Therefore, the suid bit for the 0-suffixed files should be turned off.

The suid is turned off by the following command

chmod –s dbsnmp0

Tip: Turn off the SUID bit on all files except the most needed. The SUID bit should be tuned on for the file oracle in $ORACLE_HOME/bin. If Intelligent Agent is used, then the SUID should be on for the file dbsnmp; if Name Server is used then it should be on for onrsd; and if Oracle Internet Directory is used, then it should be turned on for the file oidldapd. All other files should have their SUID bits turned off.

Enter user-name: scott/tiger|
ERROR:
ORA-12546: TNS:permission denied

Note the error: “ORA-12546 : TNS:permission denied,” meaning the execute on the Oracle executable failed. However, the connection is attempted now using a connect string, i.e. forcing it to go through the regular IPC or TCP/IP process.

Enter user-name: scott/tiger@claimdb

Connected to:
Oracle8i Enterprise Edition Release 8.1.7.4.0 - Production
With the Partitioning option
JServer Release 8.1.7.4.0 - Production
SQL>
The connection was successful.

Remove the execute permissions on Oracle executables from others as a precaution to prevent malicious use.

Download your Oracle scripts now:

www.oracle-script.com

The definitive Oracle Script collection for every Oracle professional DBA