RE: Listener and extproc security

Jason,

 

            As far as I know, and I have set up extproc's in 9i and have
them in 10g as well, you should set up a separate listener for extproc
with IPC only as the protocol in use.  In 9i setting it up as TCP was
"unsupported" and I really don't have any idea if it worked or not
mainly because I didn't try.  It was suppose to be a supported
capability in 10g, why I surely don't know.  But, if your going to use
extproc's make sure they don't run as the Oracle owner, but as nobody in
Unix/Linux or the windows equivalent if your on that platform.  The
reason is that you could allow an extproc to have all the rights to the
database executables and files as the Oracle owner which has it's own
bad consequences.  BTW: I did get extproc to work through the main
listener as well with no problems.  It's just a potential security issue
if you use it that way.

 

______________________________________________________________
Dick Goulet / Capgemini
North America P&C / East Business Unit
Senior Oracle DBA / Hosting
Office: 508.573.1978 / Mobile: 508.742.5795 / www.capgemini.com
Fax: 508.229.2019 /  Email: richard.goulet@xxxxxxxxxxxxx
45 Bartlett St. / Marlborough, MA 01752

Together: the Collaborative Business Experience 
______________________________________________________________

________________________________

From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Heinrich
Sent: Thursday, January 03, 2008 11:02 AM
To: oracle-l
Subject: Listener and extproc security

 

I'm looking for clarification on securing extproc, specifically in
regards to accessing it over TCP in 10.2.0.3.  My understanding is that
a separate listener is recommended for extproc which only listens to IPC
calls.  Otherwise, if the database listener was used, extproc and any
allowed libraries on the server could be accessed remotely via TCP. 

Most of what I've read on this is from a 9i security bulletin, but I
haven't seen anything so far that says the situation has changed in 10g.
Is my understanding of the situation correct, and is this still the
recommended configuration?  I want to make sure I have my facts strait
before I recommend this to my coworkers. 

-- 
Jason Heinrich 



This message contains information that may be privileged or confidential and is 
the property of the Capgemini Group. It is intended only for the person to whom 
it is addressed. If you are not the intended recipient,  you are not authorized 
to read, print, retain, copy, disseminate,  distribute, or use this message or 
any part thereof. If you receive this  message in error, please notify the 
sender immediately and delete all  copies of this message.

Other related posts: