Home » RDBMS Server » Security » Using sticky bit on Oracle directory & umask
Using sticky bit on Oracle directory & umask [message #165161] Tue, 28 March 2006 10:55 Go to next message
sikyala
Messages: 33
Registered: May 2005
Member
I am in the process of applying STIG recommendations for Solaris to a database server. One of the recommendations is to apply a "sticky bit". From what I understand When the so-called "sticky bit" is set on a directory, then only the owner of a file may remove that file from the directory (as opposed to the usual behavior where anybody with write access to that directory may remove the file). Setting the sticky bit prevents users from overwriting each other's files, whether accidentally or maliciously, and is generally appropriate for most world-writable directories.

I would prefer not to use the "sticky bit" to avoid possibly breaking any application dependencies on a given directory. I also must consider how effective this would be because umask is being used.

I think the real problem is that the "/var/tmp/.oracle" directory on the server has the wrong permissions. What can be done to prevent this temporary file from being created with the wrong permissions every time the database is restarted?

Re: Using sticky bit on Oracle directory & umask [message #165670 is a reply to message #165161] Fri, 31 March 2006 06:17 Go to previous messageGo to next message
Frank Naude
Messages: 4579
Registered: April 1998
Senior Member
The /tmp and /var/tmp directories should have the sticky bit set. If not, ask your system administrator to set them. Setting the sticky bit will not break anything. It will just prevent people from deleting stuff that they don't own.

$ ls -ld /tmp /var/tmp
drwxrwxrwt  17 bin      bin           16384 Mar 31 14:00 /tmp
drwxrwxrwt   2 bin      bin            4096 Mar 31 14:00 /var/tmp


For example, Oracle creates sockets in /var/tmp/ (or /tmp) that is world readable and writeable. This is not controlled by oracle's UMASK. You definitely don't want to allow any user from deleting them!

$ ls -ltr /tmp/.oracle
total 0
srwxrwxrwx   1 oracle   dba               0 Nov 06 21:45 s#1663178.1
srwxrwxrwx   1 oracle   dba               0 Nov 20 10:54 sOracle_CSS_LclLstnr_localhost_0
srwxrwxrwx   1 oracle   dba               0 Nov 20 14:37 s#1437882.1
srwxrwxrwx   1 oracle   dba               0 Nov 20 14:43 s#954602.1

Re: Using sticky bit on Oracle directory & umask [message #165696 is a reply to message #165670] Fri, 31 March 2006 10:54 Go to previous message
sikyala
Messages: 33
Registered: May 2005
Member
Thanks!
Previous Topic: execute any privilege
Next Topic: forget my sys password
Goto Forum:
  


Current Time: Fri Mar 29 03:38:48 CDT 2024