RE: Listener and extproc security
- From: "Goulet, Dick" <richard.goulet@xxxxxxxxxxxxx>
- To: <jheinrichdba@xxxxxxxxx>, "oracle-l" <oracle-l@xxxxxxxxxxxxx>
- Date: Thu, 3 Jan 2008 12:15:23 -0500
Jason,
As far as I know, and I have set up extproc's in 9i and have
them in 10g as well, you should set up a separate listener for extproc
with IPC only as the protocol in use. In 9i setting it up as TCP was
"unsupported" and I really don't have any idea if it worked or not
mainly because I didn't try. It was suppose to be a supported
capability in 10g, why I surely don't know. But, if your going to use
extproc's make sure they don't run as the Oracle owner, but as nobody in
Unix/Linux or the windows equivalent if your on that platform. The
reason is that you could allow an extproc to have all the rights to the
database executables and files as the Oracle owner which has it's own
bad consequences. BTW: I did get extproc to work through the main
listener as well with no problems. It's just a potential security issue
if you use it that way.
______________________________________________________________
Dick Goulet / Capgemini
North America P&C / East Business Unit
Senior Oracle DBA / Hosting
Office: 508.573.1978 / Mobile: 508.742.5795 / www.capgemini.com
Fax: 508.229.2019 / Email: richard.goulet@xxxxxxxxxxxxx
45 Bartlett St. / Marlborough, MA 01752
Together: the Collaborative Business Experience
______________________________________________________________
________________________________
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Heinrich
Sent: Thursday, January 03, 2008 11:02 AM
To: oracle-l
Subject: Listener and extproc security
I'm looking for clarification on securing extproc, specifically in
regards to accessing it over TCP in 10.2.0.3. My understanding is that
a separate listener is recommended for extproc which only listens to IPC
calls. Otherwise, if the database listener was used, extproc and any
allowed libraries on the server could be accessed remotely via TCP.
Most of what I've read on this is from a 9i security bulletin, but I
haven't seen anything so far that says the situation has changed in 10g.
Is my understanding of the situation correct, and is this still the
recommended configuration? I want to make sure I have my facts strait
before I recommend this to my coworkers.
--
Jason Heinrich
This message contains information that may be privileged or confidential and is
the property of the Capgemini Group. It is intended only for the person to whom
it is addressed. If you are not the intended recipient, you are not authorized
to read, print, retain, copy, disseminate, distribute, or use this message or
any part thereof. If you receive this message in error, please notify the
sender immediately and delete all copies of this message.
Other related posts:
