Kbase P22686: Security issue with dlopen and setuid bit executables
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
5/3/2011 |
|
Status: Verified
GOAL:
Security vulnerability with some Progress UNIX executables
GOAL:
Security issue with dlopen and setuid executables
GOAL:
Security issue with dlopen and environment variables with setuid executables
FACT(s) (Environment):
UNIX
Progress/OpenEdge Product Family
FIX:
Progress is aware that a potential security vulnerability exists with some UNIX executables (for example: _proapsv) that run with suid permission and access shared object libraries from the Progress installation's lib directory. These processes retain root as the effective user id once the server is actually up and running. This happens because the executables have "setuid root" file attributes.
Progress plans to fix this vulnerability in an upcoming release but due to the complexity of the solution, will not be able to furnish this fix in the short term.
The best way to prevent these potential problems from occurring is to implement an effective security policy that restricts user login access to the machines where these executables run, restrict execute permission to these executables to only trusted accounts, and restrict write access to all Progress installed shared object libraries.
Progress recommends that you do *not* disable the setuid bit on the executables, as this could interfere with the correct execution of broker processes and database access.