Bug 707620 - Umask for user "oracle" on RHEL6 is changed to 0002
Summary: Umask for user "oracle" on RHEL6 is changed to 0002
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server
Version: 541
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Jan Pazdziora
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks: 462714
TreeView+ depends on / blocked
 
Reported: 2011-05-25 14:27 UTC by Dimitar Yordanov
Modified: 2013-04-22 15:06 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-22 15:06:01 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Dimitar Yordanov 2011-05-25 14:27:28 UTC
Description of problem:
Umask for user "oracle" on RHEL6 is changed to 0002

Version-Release number of selected component (if applicable):
Satellite-5.4.1-RHEL6-re20110521.0-x86_64-embedded-oracle.iso
RHE6 -  x86_64 - Red Hat Enterprise Linux Server release 6.1

How reproducible:
Always

Steps to Reproduce:
1. On RHEL 6 : su - oracle - c "umask"

  
Actual results:
0002
-rw-rw----. 1 oracle dba 104858112 May 24 08:47 /rhnsat/data/rhnsat/redo_1001.log

Expected results:
As on RHEL5 0022
-rw-r-----. 1 oracle dba 104858112 May 24 08:47 /rhnsat/data/rhnsat/redo_1001.log

Additional info:

Comment 1 Jan Pazdziora 2011-05-25 14:59:19 UTC
On RHEL 5, the umask does not get changed from root's umask at all:

# umask
0021
# su - oracle -c 'umask'
0021

On RHEL 6, it is set to 002 in /etc/profile.

Comment 2 Jan Pazdziora 2011-05-25 15:06:52 UTC
But the change is not really specific -- you will see the same behaviour for any other system account you create.

Does it cause any harm?

Comment 3 Dimitar Yordanov 2011-05-26 07:11:28 UTC
Hi Jan, 
 I think there is a potential security issue especially  in the case when RHN-Satellite shares the Oracle Database with other applications and more than one Oracle instance exists.
Let's have the case when every instalce runs under its own ORA_USER* and all  ORA_USER* are in the DBA group.
This means that if there is a security whole in some other application and a malicious user manage to execute some code as ORA_USER* this code can modify RHN-Satellite files as well.

I could be wrong but this is the way I think.

Comment 4 Jan Pazdziora 2013-04-15 11:25:40 UTC
But we don't support multiple embedded Oracle installations, nor any non-Satellite use of the machine on which the Satellite with embedded Oracle is installed, do we?

Comment 5 Dimitar Yordanov 2013-04-15 11:41:34 UTC
No, we do not support. I guess I had in mind external oracle but we have no control there.

Comment 6 Jan Pazdziora 2013-04-22 15:06:01 UTC
We don't have any immediate plans to change the behaviour that RHEL sets as default for one system account that we create and use in Satellite. Closing as such.


Note You need to log in before you can comment on or make changes to this bug.