Re: listener for external procedure
- From: "Stephen Andert" <StephenAndert@xxxxxxxxxxxxxxx>
- To: oracle-l@xxxxxxxxxxxxx, davidb158@xxxxxxxxxxx
- Date: Sat, 20 Mar 2004 12:31:08 -0700
Hi David,
First of all, I gathered this information from the 2nd Metalink hit
when I searched for "listener extproc security" in less than 2 minutes.
This list is a great resource, but it works best when some attempt has
been made through traditional channels.
Your SysAdmin is probably referring to Oracle Security Alert #57. A
patch is available (see below). Apply the patch listed in the Patch
Availability Matrix, or perform the steps required listed in the
Workaround section.
HTH.
Stephen
---cut from metalink ---
If the PL/SQL EXTPROC functionality is required in your Oracle
installation, there are 5 steps that must be taken in order to protect
against the potential security vulnerability identified above.
1. Create two Oracle Net Listeners, one for the Oracle database and one
for PL/SQL EXTPROC.
Do not specify any EXTPROC specific entries in the configuration files
of the Oracle Listener for the database.
Configure the Oracle Listener for PL/SQL EXTPROC with an IPC protocol
address only.
If TCP connectivity is required, configure a TCP protocol address, but
use a port other than the one the Oracle Listener for the database is
using. Ensure that the Oracle Listener created for PL/SQL EXTPROC runs
as an unprivileged OS user (e.g., "nobody" on Unix). On Windows
platforms, run the Oracle Net Listener process as an unprivileged user
and not as the Windows LOCAL SYSTEM user. Give this user the OS
privilege to "Logon as a service."
2. If you have configured the Oracle Listener for PL/SQL EXTPROC with a
TCP protocol address, modify the EXTPROC specific entry in
$ORACLE_HOME/NETWORK/ADMIN/TNSNAMES.ORA to reflect the correct port for
the new Oracle Listener.
3. If you have configured the Listener for PL/SQL EXTPROC with a TCP
protocol address, ensure that the connections to this Oracle Listener
can only originate from the hosts that need access to EXTPROC by doing
the following.
Use the Oracle Net Services feature called "valid node checking" to
allow or deny access to Oracle Server processes from network clients
with specified IP addresses. Set the following parameters in
$ORACLE_HOME/NETWORK/ADMIN/SQLNET.ORA
($ORACLE_HOME/NETWORK/ADMIN/PROTOCOL.ORA in Oracle8i and prior releases)
to enable the valid node checking feature:
tcp.validnode_checking = YES
tcp.invited_nodes = {list of IP addresses}
tcp.excluded_nodes = {list of IP addresses}
The first parameter turns on the valid node checking feature. The
latter two parameters respectively specify the IP addresses that are
permitted to make network connections and those that are prohibited from
making network connections to the Oracle Server processes.
Restrict access to the Oracle Listener for PL/SQL EXTPROC only. A
separate $ORACLE_HOME/NETWORK/ADMIN/SQLNET.ORA file is required for this
Oracle Listener. You can store this file in any directory other than the
one in which the database LISTENER.ORA and SQLNET.ORA files are located.
Copy the LISTENER.ORA with the configuration of the Oracle Listener for
PL/SQL EXTPROC into this other directory as well. Before starting the
Oracle Listener for PL/SQL EXTPROC, set the TNS_ADMIN environment
variable (or Windows Registry parameter) to specify the directory in
which the new configuration files for PL/SQL EXTPROC are stored.
4. Ensure that the file permissions on separate
$ORACLE_HOME/NETWORK/ADMIN/LISTENER.ORA are set at either 640 or 644.
5. Change the password for any privileged database account, or for an
ordinary user given administrative privileges that grant the ability to
add packages or libraries and access system privileges in the database
(such as CREATE ANY LIBRARY), to a strong, meaningful password,
different from the default that is provided during the initial
installation of Oracle.
Lock and expire all other accounts that are not being used in the
database. Read Section 2 of the "Oracle9i Security Checklist" available
on OTN at
http://otn.oracle.com/deploy/security/oracle9i/pdf/9i_checklist.pdf
for details.
>>> davidb158@xxxxxxxxxxx 03/19/04 09:52AM >>>
Hi List,
I posted a message on this topic a few days ago. I did not receive any
reply due to my e-mail system issue. So I post it again.
We would like to use InterMedia searching text content against a clob
field.
In order to create domain index for InterMedia, we have to configure
listener for external procedure. But our system administrator says
that it
will open a security hole if we do this. Currentely we are running
Oracle
8.1.7. Does any one know if this issue has been fixed in 8.1.7? Is
there
other way to do text searching instead of InterMedia?
Thanks in advance for any inputs or forwarding previous replies.
_________________________________________________________________
All the action. All the drama. Get NCAA hoops coverage at MSN Sports by
ESPN. http://msn.espn.go.com/index.html?partnersite=espn
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
Other related posts: