topic Re: root access by oracle - how? in Operating System - HP-UX

root access by oracle - how?

Rick Garland — Mon, 03 Jan 2005 12:46:02 GMT

Hi all:

HPUX 11.11 on rp7410 systems.

I have the /etc/default/security file setup so that only the members of the group 'wheel' have access to the root account. Have tested numerous times and the respponse is "not a member of the group wheel ..." The date stamp on this file is Aug 30.

The /etc/group file has a date stamp of Dec 6.

Looking in the /var/adm/sulog file shows that oracle has become root on several occasions, most recently on Dec 27.

When I login as oracle as su - I get the "not in wheel group" message. So how is oracle becoming root?

Re: root access by oracle - how?

RAC_1 — Mon, 03 Jan 2005 12:48:40 GMT

How many groups are associated with user oracle?? Also pwck, grpck OK??

Anil

Re: root access by oracle - how?

Rick Garland — Mon, 03 Jan 2005 12:49:31 GMT

Oracle version 8.1.7.4

Re: root access by oracle - how?

KapilRaj — Mon, 03 Jan 2005 12:55:33 GMT

I don't know if this will happen if u have $ROOT_HOME/.rhosts with a line

+ oracle

Kaps

Re: root access by oracle - how?

RAC_1 — Mon, 03 Jan 2005 12:57:05 GMT

Also when you do su - (from oracle user), oracle's primary group should be wheel and not secondary.

/usr/sbin/logins -d

Anil

Re: root access by oracle - how?

Sanjay_6 — Mon, 03 Jan 2005 12:57:39 GMT

Hi Rick,

can you post an example of what you see in /var/adm/sulog

grep oracle /var/adm/sulog

Thanks

Re: root access by oracle - how?

KapilRaj — Mon, 03 Jan 2005 12:59:30 GMT

Re: root access by oracle - how?

Rick Garland — Mon, 03 Jan 2005 13:02:05 GMT

Example of the sulog as requested.

grep 'oracle-root' /var/adm/sulog

SU 12/06 09:45 - 2 oracle-root
SU 12/06 09:45 - 2 oracle-root
SU 12/06 09:45 - 2 oracle-root
SU 12/06 09:45 - 2 oracle-root
SU 12/06 09:45 - 2 oracle-root
SU 12/06 09:46 + 2 oracle-root
SU 12/06 11:39 - 1 oracle-root
SU 12/06 11:39 - 1 oracle-root
SU 12/06 11:39 - 1 oracle-root
SU 12/06 11:39 + 1 oracle-root
SU 12/07 09:37 - 2 oracle-root
SU 12/07 09:38 + 2 oracle-root
SU 12/07 09:38 - 2 oracle-root
SU 12/07 09:39 + 2 oracle-root
SU 12/13 00:55 - tb oracle-root
SU 12/13 00:56 - tb oracle-root
SU 12/13 00:56 - tb oracle-root
SU 12/13 00:56 + tb oracle-root
SU 12/14 08:57 - 6 oracle-root
SU 12/14 08:57 - 6 oracle-root
SU 12/14 08:57 + 6 oracle-root
SU 12/14 09:16 - 6 oracle-root
SU 12/14 09:17 + 6 oracle-root

Oracle has no need to be in the wheel group and has never been. Also looked in the .rhost for root and oracle is not in there.

Re: root access by oracle - how?

Sanjay_6 — Mon, 03 Jan 2005 13:15:11 GMT

Hi,

Is it possible that they have sudo access to become root. You can check that.

You can run the last command to find out who was logged into the terminal from which the oracle became root.

last -R -number oracle

It may list the ip address / name of the pc/laptop from where this login session was initiated as oracle and then su'ed to root.

on one of the system, last -R -200 oracle gave me the last 200 sessions initiated as oracle and it tells me the hostname from where the session started. Find one on the port mentioned in sulog at the time mentioned over there.

Hope this helps.

Regds

Re: root access by oracle - how?

Volker Borowski — Mon, 03 Jan 2005 13:46:24 GMT

Hi Rick,

did you check for scripts which are executable for "oracle" and have s-bit set for group wheel ?

Volker

Re: root access by oracle - how?

KapilRaj — Mon, 03 Jan 2005 14:30:13 GMT

did u try newgrp wheel as oracle user ?

Kaps

Re: root access by oracle - how?

john korterman — Mon, 03 Jan 2005 15:00:21 GMT

Hi,
it might be possible for a user sharing the same uid as oracle, being a member of the wheel group.
Just a thought..

regards,
John K.

Re: root access by oracle - how?

Rick Garland — Mon, 03 Jan 2005 15:34:25 GMT

Issue solved.

The PC is connecting to CDE via Reflections. Direct login via oracle. Do an su - $USER where $USER is a user that is allowed root access via the wheel group. Once this su is complete can then become root.

Look into the sulog and it shows oracle-root. This is a logging bug.

The oracle was not in the wheel group, could not newgrp to wheel, no rhosts entry, etc.
Everything is setup as it should be. It is a logging issue with the sulog.

Many thanks to all for the ideas!