HPE Community
Operating System - HP-UX
1830340 Members
2348 Online
110001 Solutions
New Discussion

Re: root access by oracle - how?

 
Rick Garland
Honored Contributor

‎01-03-2005 04:46 AM

‎01-03-2005 04:46 AM

root access by oracle - how?

Hi all:

HPUX 11.11 on rp7410 systems.

I have the /etc/default/security file setup so that only the members of the group 'wheel' have access to the root account. Have tested numerous times and the respponse is "not a member of the group wheel ..." The date stamp on this file is Aug 30.

The /etc/group file has a date stamp of Dec 6.

Looking in the /var/adm/sulog file shows that oracle has become root on several occasions, most recently on Dec 27.

When I login as oracle as su - I get the "not in wheel group" message. So how is oracle becoming root?





0 Kudos
Reply
12 REPLIES 12
RAC_1
Honored Contributor

‎01-03-2005 04:48 AM

‎01-03-2005 04:48 AM

Re: root access by oracle - how?

How many groups are associated with user oracle?? Also pwck, grpck OK??

Anil
There is no substitute to HARDWORK
0 Kudos
Reply
Rick Garland
Honored Contributor

‎01-03-2005 04:49 AM

‎01-03-2005 04:49 AM

Re: root access by oracle - how?

Oracle version 8.1.7.4
0 Kudos
Reply
KapilRaj
Honored Contributor

‎01-03-2005 04:55 AM

‎01-03-2005 04:55 AM

Re: root access by oracle - how?

I don't know if this will happen if u have $ROOT_HOME/.rhosts with a line

+ oracle

Kaps
Nothing is impossible
0 Kudos
Reply
RAC_1
Honored Contributor

‎01-03-2005 04:57 AM

‎01-03-2005 04:57 AM

Re: root access by oracle - how?

Also when you do su - (from oracle user), oracle's primary group should be wheel and not secondary.

/usr/sbin/logins -d

Anil
There is no substitute to HARDWORK
0 Kudos
Reply
Sanjay_6
Honored Contributor

‎01-03-2005 04:57 AM

‎01-03-2005 04:57 AM

Re: root access by oracle - how?

Hi Rick,

can you post an example of what you see in /var/adm/sulog

grep oracle /var/adm/sulog

Thanks
0 Kudos
Reply
KapilRaj
Honored Contributor

‎01-03-2005 04:59 AM

‎01-03-2005 04:59 AM

Re: root access by oracle - how?

Login as oracle and try "newgrp wheel" if this works fine ,u need to remove the group from oracle's account

Kaps
Nothing is impossible
0 Kudos
Reply
Rick Garland
Honored Contributor

‎01-03-2005 05:02 AM

‎01-03-2005 05:02 AM

Re: root access by oracle - how?

Example of the sulog as requested.

grep 'oracle-root' /var/adm/sulog

SU 12/06 09:45 - 2 oracle-root
SU 12/06 09:45 - 2 oracle-root
SU 12/06 09:45 - 2 oracle-root
SU 12/06 09:45 - 2 oracle-root
SU 12/06 09:45 - 2 oracle-root
SU 12/06 09:46 + 2 oracle-root
SU 12/06 11:39 - 1 oracle-root
SU 12/06 11:39 - 1 oracle-root
SU 12/06 11:39 - 1 oracle-root
SU 12/06 11:39 + 1 oracle-root
SU 12/07 09:37 - 2 oracle-root
SU 12/07 09:38 + 2 oracle-root
SU 12/07 09:38 - 2 oracle-root
SU 12/07 09:39 + 2 oracle-root
SU 12/13 00:55 - tb oracle-root
SU 12/13 00:56 - tb oracle-root
SU 12/13 00:56 - tb oracle-root
SU 12/13 00:56 + tb oracle-root
SU 12/14 08:57 - 6 oracle-root
SU 12/14 08:57 - 6 oracle-root
SU 12/14 08:57 + 6 oracle-root
SU 12/14 09:16 - 6 oracle-root
SU 12/14 09:17 + 6 oracle-root


Oracle has no need to be in the wheel group and has never been. Also looked in the .rhost for root and oracle is not in there.
0 Kudos
Reply
Sanjay_6
Honored Contributor

‎01-03-2005 05:15 AM

‎01-03-2005 05:15 AM

Re: root access by oracle - how?

Hi,

Is it possible that they have sudo access to become root. You can check that.

You can run the last command to find out who was logged into the terminal from which the oracle became root.

last -R -number oracle

It may list the ip address / name of the pc/laptop from where this login session was initiated as oracle and then su'ed to root.

on one of the system, last -R -200 oracle gave me the last 200 sessions initiated as oracle and it tells me the hostname from where the session started. Find one on the port mentioned in sulog at the time mentioned over there.

Hope this helps.

Regds
0 Kudos
Reply
Volker Borowski
Honored Contributor

‎01-03-2005 05:46 AM

‎01-03-2005 05:46 AM

Re: root access by oracle - how?

Hi Rick,

did you check for scripts which are executable for "oracle" and have s-bit set for group wheel ?

Volker

0 Kudos
Reply
KapilRaj
Honored Contributor

‎01-03-2005 06:30 AM

‎01-03-2005 06:30 AM

Re: root access by oracle - how?

did u try newgrp wheel as oracle user ?

Kaps
Nothing is impossible
0 Kudos
Reply
john korterman
Honored Contributor

‎01-03-2005 07:00 AM

‎01-03-2005 07:00 AM

Re: root access by oracle - how?

Hi,
it might be possible for a user sharing the same uid as oracle, being a member of the wheel group.
Just a thought..

regards,
John K.
it would be nice if you always got a second chance
0 Kudos
Reply
Rick Garland
Honored Contributor

‎01-03-2005 07:34 AM

‎01-03-2005 07:34 AM

Re: root access by oracle - how?

Issue solved.

The PC is connecting to CDE via Reflections. Direct login via oracle. Do an su - $USER where $USER is a user that is allowed root access via the wheel group. Once this su is complete can then become root.

Look into the sulog and it shows oracle-root. This is a logging bug.

The oracle was not in the wheel group, could not newgrp to wheel, no rhosts entry, etc.
Everything is setup as it should be. It is a logging issue with the sulog.

Many thanks to all for the ideas!

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.