SUMMARY: file permissions for AF_UNIX address family sockets

From: FNdS <fnantes_at_gmail.com>
Date: Fri Feb 11 2005 - 10:48:57 EST
Thanks Casper.

---------- Forwarded message ----------
From: Casper.Dik@sun.com <Casper.Dik@sun.com>
Date: Thu, 10 Feb 2005 00:20:56 +0100
Subject: Re: file permissions for AF_UNIX address family sockets
To: "Fernando N. de Souza" <fnantes@yahoo.com>



>/var/tmp/.oracle directory contains scores of files of type "AF_UNIX
>address family sockets", the permissions are srwxrwxrwx.
>
>>From what I understand the files are created by the Oracle Listener
>process (tnslsnr) each time it starts and just seat there until they
>are deleted.
>
>At the bottom I list the output of lsof and ls -l.
>
>Questions:
>==========
>
>Are there any possible security issues related to the fact that the
>permission mask is srwxrwxrwx?

No; permissions on sockets are traditionally ignored.

>Is it possible to force the default permissions to something more
>restrictive?

No.

>Could we do 'chmod o-w <file>'? Would that break anything?

Yes, it doesn't fix anything either.

You can change the permissions on the directory.

Casper

--- ORIGINAL POST ---

Scenario:
==========

Sun E3500
Solaris 9 (Generic_112233-12)
Oracle 9i Server (9.2.0.4)

Problem:
========

/var/tmp/.oracle directory contains scores of files of type "AF_UNIX
address family sockets", the permissions are srwxrwxrwx.

>From what I understand the files are created by the Oracle Listener
process (tnslsnr) each time it starts and just seat there until they
are deleted.

At the bottom I list the output of lsof and ls -l.

Questions:
==========

Are there any possible security issues related to the fact that the
permission mask is srwxrwxrwx?

Is it possible to force the default permissions to something more
restrictive? 

Could we do 'chmod o-w <file>'? Would that break anything? 

Thanks.

--
Fernando N. de Souza
SysAdmin/DBA
Fairfax, VA
--

Output of 'lsof | grep "/var/tmp/.oracle"'
==========================================

tnslsnr    8020   oracle   11u  unix        105,19        0t0    192488
/devices/pseudo/tl@0:ticots->/var/tmp/.oracle/s#8020.1 (0x38d01c8cae8)
(Vnode=0x30007117618)
tnslsnr    8020   oracle   12u  unix        105,20        0t0    192488
/devices/pseudo/tl@0:ticots->/var/tmp/.oracle/sEXTPROC (0x38feede5cc0)
(Vnode=0x3000e02bb68)

Output of 'ls -ltr /var/tmp/.oracle':
=====================================
...
srwxrwxrwx   1 oracle   dba            0 Jul 16  2003 s#27312.1
srwxrwxrwx   1 oracle   dba            0 Jul 16  2003 s#27358.1
srwxrwxrwx   1 oracle   dba            0 Jul 16  2003 s#28000.1
srwxrwxrwx   1 oracle   dba            0 Jul 16  2003 s#28046.1
srwxrwxrwx   1 oracle   dba            0 Jul 16  2003 s#29847.1
srwxrwxrwx   1 oracle   dba            0 Mar 12  2004 s#12095.1
srwxrwxrwx   1 oracle   dba            0 Mar 12  2004 s#12925.1
srwxrwxrwx   1 oracle   dba            0 Mar 18  2004 s#13715.1
srwxrwxrwx   1 oracle   dba            0 Nov 12 14:46 sEXTPROC
srwxrwxrwx   1 oracle   dba            0 Nov 12 14:46 s#8020.1
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Fri Feb 11 10:52:40 2005

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:43 EST