Info |
---|
In 2.2.0p24, the agent plugins mk_oracle, mk_oracle.ps1 and mk_oracle_crs are vulnerable to privilege escalation to root by the oracle user. With Werk 16232 we introduced a change that prevents privilege escalation to root. Affected binaries are: sqlplus, tnsping and crsctl. As a result:
|
...
Panel | ||||||
---|---|---|---|---|---|---|
| ||||||
|
Problem
All binaries, which are called by the plugins, are now checked if they need to be executed as a non-root (non-administrator under Windows) user, preventing the privilege escalation.
Affected binaries are:
- sqlplus
- tnsping
- crsctl
On Linux, this causes issues when using an oracle wallet as the unprivileged user might not be able to access the files defining the connection details and credentials which are primarily
...
If non-admin users have Write, Modify or Full Control permissions to the sqlplus binary, then executing the agent plugin with return an error with detailed description.
This is how the message may look like depending on which binaries the non-admin user has 'Write', 'Modify' and 'Full control' access:
Service check
Agent output
Code Block | ||||
---|---|---|---|---|
| ||||
<<<>>> <<<oracle_instance>>> <<<oracle_performance>>> <<<oracle_processes>>> <<<oracle_sessions>>> <<<oracle_longactivesessions>>> <<<oracle_logswitches>>> <<<oracle_undostat>>> <<<oracle_recovery_area>>> <<<oracle_recovery_status>>> <<<oracle_dataguard_stats>>> <<<oracle_locks>>> <<<oracle_tablespaces>>> <<<oracle_rman>>> <<<oracle_jobs>>> <<<oracle_resumable>>> <<<oracle_instance>>> <<<oracle_processes>>> <<<oracle_asm_diskgroup>>> <<<oracle_instance:sep(124)>>> ORA19|FAILURE|{Domain}\{User} has 'FullControl' access permissions 'd:\oracle\bin\tnsping.exe' - Execution is blocked because you try to run unsafe binary as an administrator. Please, disable 'Write', 'Modify' and 'Full control' access to the the file by non-admin users. Alternatively, you can try to adjust settings in 'ORACLE databases (Linux, Solaris, AIX, Windows)'. <<<>>> |
...