Versions Compared

Old Version 28

changes.mady.by.user Matthew Hierholzer

Saved on

compared with

New Version Current

changes.mady.by.user Matthew Hierholzer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Info

In 2.2.0p24, the agent plugins mk_oracle, mk_oracle.ps1 and mk_oracle_crs are vulnerable to privilege escalation to root by the oracle user.  With Werk 16232 we introduced a change that prevents privilege escalation to root. 

Affected binaries are:  sqlplus, tnsping and crsctl. 

As a result:

  • Windows
    mk_oracle.ps1 -      we now check if any non-admin users have Write, Modify or Full Control permissions on the affected binaries. . If such a user is found then the execution of the agent plugin is blocked and you will be notified about the non-admin user who owns the binary.
  • Linux 
    mk_oracle - If you use Oracle Wallet to connect to your Database and used the instructions of our official documentation to setup your configuration then you are also also affected by this change. Now, we have introduced a new functionality to the  mk_oracle's “Just check the connection” mode ( -t ) so that it now also checks the permissions of the files.  It will suggest you the desired permissions required on the ora files and the Oracle Wallet files.

...

Panel
borderColorblack
bgColor#f8f8f8
titleTable of Contents

Table of Contents

Problem

All binaries, which are called by the plugins, are now checked if they need to be executed as a non-root (non-administrator under Windows) user, preventing the privilege escalation.


Affected binaries are: 

  • sqlplus
  • tnsping
  • crsctl


On Linux, this causes issues when using an oracle wallet as the unprivileged user might not be able to access the files defining the connection details and credentials which are primarily

...

If non-admin users have Write, Modify or Full Control permissions to the sqlplus binary, then executing the agent plugin with return an error with detailed description.

This is how the message may look like depending on which binaries the non-admin user has 'Write', 'Modify' and 'Full control' access:


Service check


Image Modified



Agent output

Code Block
languagebash
themeRDark
<<<>>>
<<<oracle_instance>>>
<<<oracle_performance>>>
<<<oracle_processes>>>
<<<oracle_sessions>>>
<<<oracle_longactivesessions>>>
<<<oracle_logswitches>>>
<<<oracle_undostat>>>
<<<oracle_recovery_area>>>
<<<oracle_recovery_status>>>
<<<oracle_dataguard_stats>>>
<<<oracle_locks>>>
<<<oracle_tablespaces>>>
<<<oracle_rman>>>
<<<oracle_jobs>>>
<<<oracle_resumable>>>
<<<oracle_instance>>>
<<<oracle_processes>>>
<<<oracle_asm_diskgroup>>>
<<<oracle_instance:sep(124)>>>
ORA19|FAILURE|{Domain}\{User} has 'FullControl' access permissions 'd:\oracle\bin\tnsping.exe' - Execution is blocked because you try to run unsafe binary as an administrator. 
Please, disable 'Write', 'Modify' and 'Full control' access to the the file by non-admin users. Alternatively, you can try to adjust settings in 'ORACLE databases (Linux, Solaris, AIX, Windows)'.

<<<>>>

...