Results 1 to 2 of 2
  1. #1
    Join Date
    Aug 2001
    Location
    UK
    Posts
    4,650

    Unanswered: DB2 Security Loophole ??

    Not sure how authentic it is ... But worth a read ...

    http://infosecuritymag.techtarget.co...,00.html#news3

    Please share any information you have about this issue ..

    Cheers
    Sathyaram
    Visit the new-look IDUG Website , register to gain access to the excellent content.

  2. #2
    Join Date
    Jun 2003
    Location
    Toronto, Canada
    Posts
    5,516
    Provided Answers: 1

    Re: DB2 Security Loophole ??

    The article says,

    On some, lib directories have inappropriate write permissions after a default installation, which can allow an attacker with bin privileges to create a malicious shared object that DB2 runs and elevate his privileges to root.

    I may be wrong but I believe db2 processes are not supposed to execute with root privileges but rather with those of the instance owner id. Therefore, whatever db2 then runs from the lib directory will execute with the same privs as db2 itself. Please correct me if I'm wrong.

    Besides, on AIX the lib directory is not writable for anyone except the id used to install the software.

    I suspect the "vulnerability" may just be a result of not planning db2 installation carefully.
    ---
    "It does not work" is not a valid problem statement.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •