Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Ed informs us that 10gR2 should be out this month"] [Next entry: "A new version of OPR is released"]

Installing Oracle Password Repository (OPR) - a walk through



I got an email from Mike Thomas over the weekend to let me know that he had installed OPR as he had seen it in my blog. He kept detailed installation notes and output from his installation and he has kindly offered to let me publish those here in the hope that they will be useful to others who might be interested in using OPR or are about to install it. Here is Mike's output in its entirety:-


----------
Example to create OPR Repository for 10g on RHEL3 LINUX.
----------
These are the notes we used to install OPR on multiple 10g hosts.
----------
Authors:
qnxodba@gmail.com
brian.a.smith@duke.edu
--
Brian analyzed and resolved the error while loading shared libraries: libclntsh.so.10.1
After testing and reviewing potential risks I chose the approach to
create a symbolic library link in /usr/lib rather than create a statically
compliled OPR. You must test for Oracle library version conflicts.
--

---
-- Setup OPR on host
---
login oracle @minke

---
-- Create opr LINUX account
---
su - root
groupadd oprinstall # group owner of OPR files
useradd -c "Oracle Password Recovery" -g oprinstall opr
passwd opr
--
Note:
useradd -m (create home directory) -g (initial group) -G (supplementary groups)
--

---
-- Test accounts
---
su - root
groups opr
id opr
id oracle
--
[root@minke root]# groups opr
opr : oprinstall
--
[root@minke opr]# id opr
uid=605(opr) gid=605(oprinstall) groups=605(oprinstall)
--
[root@minke opr]# id oracle
uid=600(oracle) gid=600(oinstall) groups=600(oinstall),601(dba)
--

-- shell
login opr @minke
vi .bash_profile
set | grep -i ora
--
Note: see below for example profile
--

---
-- Install OPR
---
login opr @minke

-- (1) directory
cd /home/opr
rm -rf /home/opr/data
rm -rf /home/opr/prog
mkdir /home/opr/data
mkdir /home/opr/prog
chmod 700 /home/opr/data
chmod 700 /home/opr/prog
ls -al
--

-- (2) program
cd /home/opr/prog
ftp opr-1.1.6beta.tar.gz to /home/opr/prog
tar zxvf opr-1.1.6beta.tar.gz
--
cd /home/opr/prog/opr
./configure
make
strip src/opr
cp /home/opr/prog/opr/src/opr /home/opr
--
cd /home/opr
opr -c
ls -l $OPRREPOS
chmod 755 /home/opr
chmod 511 /home/opr/opr
chmod u+s /home/opr/opr
ls -al /home/opr/opr
chmod 555 /home/opr/opr.sh
chmod u+s /home/opr/opr.sh
ls -al /home/opr/opr.sh
--
Note: In RAC cluster put the repository on drive shared by all nodes.
This supports one OPR repository per database concept.
--


-- (3) script
login opr @minke

vi /home/opr/opr.sh
#!/bin/bash
OPRREPOS=/home/opr/data/repos.opr;export OPRREPOS
opr ${1} ${2} ${3} ${4}

--
[opr@minke opr]$ ls -l $OPRREPOS
-rw------- 1 opr oprinstall 352 Jun 24 16:08 /home/opr/data/repos.opr
[opr@minke opr]$ ls -al /home/opr/opr
-r-s--x--x 1 opr oprinstall 20240 Jun 24 16:07 /home/opr/opr
[opr@minke prog]$ ls -al /home/opr/opr.sh
-r-sr-xr-x 1 opr oprinstall 74 Jun 24 16:11 /home/opr/opr.sh
--


-- (4) library /u01/app/oracle/product/10.1.0/db_1/lib/libclntsh.so.10.1
su - root
ls -al /usr/lib/libclntsh.so*
ln -s /u01/app/oracle/product/10.1.0/db_1/lib/libclntsh.so.10.1 /usr/lib/libclntsh.so.10.1
chown oracle.oinstall /usr/lib/libclntsh.so.10.1
ls -al /usr/lib/libclntsh.so*
--
Note: This works for Oracle 10g only. Hosts with multiple oracle versions
may require another strategy like statically compiled opr because of the
risk of library version conflicts. Test thoroughly before implementing.
Some of the risks of adding library to /usr/lib (libclntsh.so.10.1) are at:
http://www-106.ibm.com/developerworks/linux/library/l-sp3.html
E.g. The problem is that if an attacker can control the underlying libraries used by a program, the attacker can completely control the program. For example, imagine that the attacker could run /usr/bin/passwd (a privileged program that lets you change your password), but uses the environment variables to change the libraries used by the program. An attacker could write their own version of crypt(3), the password encryption function, and when the privileged program tries to call the library, the attacker can make the program do anything -- including allowing permanent, unlimited control over the system. Today's loaders counter this problem by detecting if the program is setuid/setgid, and if it is, they ignore environment variables such as LD_PRELOAD and LD_LIBRARY_PATH .
--

-- (5) oracle .bash_profile modification
ORACLE_BASE=/u01/app/oracle;export ORACLE_BASE
OPR_BASE=/home/opr;export OPR_BASE
ORACLE_HOME=$ORACLE_BASE/product/10.1.0/db_1;export ORACLE_HOME
PATH=/usr/sbin:/sbin:$ORACLE_HOME/bin:$ORACLE_HOME/OPatch:$OPR_BASE:$PATH

--
Notes: There are a couple bugs in the source.
(1) Typo shows lack of Solaris testing -
[opr@minke src]$ grep unload *
opr.c: unloadOraLibs();
>> Fix should be:
opr.c: unLoadOraLibs();
--
(2) The libclntsh.so.10.1 error is caused by setuid limiting dynamically loaded
libraries to those under /usr/lib (et.al.) and excluding LD_LIBRARY_PATH libs.
One solution to this problem is to copy and chmod to /usr/lib/libclntsh.so.10.1
--
E.g. Typical error from oracle unix account
[oracle@minke oracle]$ opr -r cald sys
opr: error while loading shared libraries: libclntsh.so.10.1: cannot open shared object file: No such file or directory
--
(3) In RAC cluster put the repository on drive shared by all nodes.
This supports one OPR repository per database concept.
--

---
-- Configure commands OPR repository
---
Note: One OPR repository per database, which holds all/any accounts for one database
--
login opr @minke

--
-- minke
opr -a calprec calgb oracle
--
-- orca (cluster)
opr -a calp calgb oracle
--
-- narwhal (cluster)
opr -a calp calgb oracle {should fail as duplicate entry}
--
-- pilot
opr -a cald calgb oracle
--
Note: opr -a
--

---
-- Test OPR examples
---
login oracle @minke
sqlplus "calgb/`opr.sh -r CALPREC calgb`@cald"
--
login oracle @orca
sqlplus "calgb/`opr.sh -r CALP calgb`@calp"
--
login oracle @narwhal
sqlplus "calgb/`opr.sh -r CALP calgb`@calp"
--
login oracle @pilot
sqlplus "calgb/`opr.sh -r CALD calgb`@cald"
--
Note: All the databases are used in CAPS even though entered as lowercase.
--


----------
-- OPR UNIX ACCOUNT
----------
vi .bash_profile
--
# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi

##########
# Login Sequence - Check if behaviour unclear
# /etc/passwd
# /etc/shadow
# /etc/group
# /etc/profile
# /etc/profile.d/*.sh
# ~/.bash_profile
# ~/.bashrc
# /etc/bashrc
##########
# User specific environment and startup programs
##########
ORACLE_BASE=/u01/app/oracle; export ORACLE_BASE
DB_HOME=$ORACLE_BASE/product/10.1.0/db_1; export DB_HOME
OPR_BASE=/home/opr;export OPR_BASE
OPRREPOS=/home/opr/data/repos.opr;export OPRREPOS
ORACLE_HOME=$ORACLE_BASE/product/10.1.0/db_1;export ORACLE_HOME
#
##########
#PATH=$PATH:$HOME/bin
#PATH=/usr/sbin:/sbin:$PATH
PATH=/usr/sbin:/sbin:$DB_HOME/bin:$ORACLE_HOME/OPatch:$OPR_BASE:$PATH
#
export PATH
##########
#LD_LIBRARY_PATH=$DB_HOME/lib:/lib:/usr/lib; export LD_LIBRARY_PATH
#LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib; export LD_LIBRARY_PATH
LD_LIBRARY_PATH=$DB_HOME/lib:/lib:/usr/lib:/usr/local/lib; export LD_LIBRARY_PATH
#
##########

unset USERNAME
--

----------
----------

----------
----------


That is it, I hope that people find this useful, thanks again to Mike for sharing it.