Re: Listener and extproc security

From: Jason Heinrich <jheinrichdba_at_gmail.com>
Date: Thu, 3 Jan 2008 12:01:42 -0600
Message-ID: <b32e774d0801031001v5f0ee4d0gfcd9b7321ffd8ac7@mail.gmail.com>

A Google Books search turned up some additional information.* Apparently Oracle made a change to the listener in 9.2 so that it will only fulfill extproc requests from the local machine. Requests from other hosts get logged. I don't have an environment set up at the moment to easily test this though.

Special Ops: Host and Network Security for Microsoft Unix and Oracle, byErik Pace Birkholz, p. 686

On 1/3/08, Goulet, Dick <richard.goulet_at_capgemini.com> wrote:
>
> Jason,
>
>
>
> As far as I know, and I have set up extproc's in 9i and have
> them in 10g as well, you should set up a separate listener for extproc with
> IPC only as the protocol in use. In 9i setting it up as TCP was
> "unsupported" and I really don't have any idea if it worked or not mainly
> because I didn't try. It was suppose to be a supported capability in 10g,
> why I surely don't know. But, if your going to use extproc's make sure they
> don't run as the Oracle owner, but as nobody in Unix/Linux or the windows
> equivalent if your on that platform. The reason is that you could allow an
> extproc to have all the rights to the database executables and files as the
> Oracle owner which has it's own bad consequences. BTW: I did get extproc to
> work through the main listener as well with no problems. It's just a
> potential security issue if you use it that way.
>
>
>
> ______________________________________________________________
> Dick Goulet / *Capgemini*
> North America P&C / East Business Unit
> Senior Oracle DBA / Hosting
> Office: 508.573.1978 / Mobile: 508.742.5795 / www.capgemini.com
> Fax: 508.229.2019 / Email: *richard.goulet_at_capgemini.com*
> 45 Bartlett St. / Marlborough, MA 01752
>
> *Together: the Collaborative Business Experience *
> ______________________________________________________________
> ------------------------------
>
> *From:* oracle-l-bounce_at_freelists.org [mailto:
> oracle-l-bounce_at_freelists.org] *On Behalf Of *Jason Heinrich
> *Sent:* Thursday, January 03, 2008 11:02 AM
> *To:* oracle-l
> *Subject:* Listener and extproc security
>
>
>
> I'm looking for clarification on securing extproc, specifically in regards
> to accessing it over TCP in 10.2.0.3. My understanding is that a separate
> listener is recommended for extproc which only listens to IPC calls.
> Otherwise, if the database listener was used, extproc and any allowed
> libraries on the server could be accessed remotely via TCP.
>
> Most of what I've read on this is from a 9i security bulletin, but I
> haven't seen anything so far that says the situation has changed in 10g. Is
> my understanding of the situation correct, and is this still the recommended
> configuration? I want to make sure I have my facts strait before I
> recommend this to my coworkers.
>
> --
> Jason Heinrich
> This message contains information that may be privileged or confidential
> and is the property of the Capgemini Group. It is intended only for the
> person to whom it is addressed. If you are not the intended recipient, you
> are not authorized to read, print, retain, copy, disseminate, distribute, or
> use this message or any part thereof. If you receive this message in error,
> please notify the sender immediately and delete all copies of this message.
>
>

-- 
Jason Heinrich

--
http://www.freelists.org/webpage/oracle-l

Received on Thu Jan 03 2008 - 12:01:42 CST

This message: [ Message body ]
Next message: Bobak, Mark: "RE: Server Architecture"
Previous message: Elliott, Patrick: "RE: Clarification on conventional backup"
In reply to: Goulet, Dick: "RE: Listener and extproc security"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message