Pete Finnigan's Oracle Security Weblog

Oracle has today issued an email to customers to inform them that the tool OPatch.pl has an issue with file system privileges on Linux and Unix platforms. This is causing non-dba's to be denied access to the database after application of an interim patch using OPatch. The Oracle email is included in full below:

"From: Oracle Global Product Support [mailto:st-gspuser_us@ORACLE.COM]
Sent: Wednesday, January 25, 2006 3:54 PM
To: Oracle Global Product Support
Subject: Critical Problem with OPatch 1.0.0.0.54 and 10.2.0.1.1



Dear Oracle Customer,

You are receiving this email because our records indicated you downloaded OPatch 1.0.0.0.54 and 10.2.0.1.1 before OPatch 1.0.0.0.55 and 10.2.0.1.2 were available.

A change of behavior in OPatch versions 1.0.0.0.54 and 10.2.0.1.1 was causing file permissions under Oracle_Home to be changed incorrectly when applying an interim patch. As a result, a non-DBA user would not be able to connect to any database from the patched server. This issue affected Unix and Linux platforms only. The behavior is corrected in OPatch versions 1.0.0.0.55 and 10.2.0.1.2 that are available on MetaLink via Patches 2617419 and 4898608 respectively.

If you have experienced this problem after applying an interim patch using OPatch versions 1.0.0.0.54 or 10.2.0.1.1, reapplying the interim patch using versions 1.0.0.0.55 and 10.2.0.1.2 will correct the problem. If the interim patch that you applied was Critical Patch Update January 2006 and reapplying the patch is not feasible, please be aware that a script is being developed to correct the file permission so re-installation would not be necessary. The availability of this script will be announced shortly in the Oracle Critical Patch Update January 2006 Pre-Installation Note for Oracle Database (Note 343384.1) and the Pre-Installation Notes for other products.

Please accept our apologies for any inconvenience you may have experienced, and we thank you for your patience and cooperation in keeping your Oracle products up-to-date.

Regards,
Oracle Global Product Support

P.S. Please do not reply to this email as this email account is not monitored. If you require further assistance, please use MetaLink, https://metalink.oracle.com, to submit a Service Request. "

If you have either of these versions of OPatch then please download the new versions. Also note that if you used these versions to apply the January 2006 CPU then you will either need to fix the permissions yourself (not recommended as its unlikely to be supported) or wait for Oracle to supply a script to fix the issue. I guess this issue could be causing problems for some customers?