From oracle-l-bounce@freelists.org Sat Mar 20 13:28:33 2004 Return-Path: Received: from air189.startdedicated.com (root@localhost) by orafaq.com (8.11.6/8.11.6) with ESMTP id i2KJSXO24708 for ; Sat, 20 Mar 2004 13:28:33 -0600 X-ClientAddr: 206.53.239.180 Received: from turing.freelists.org (freelists-180.iquest.net [206.53.239.180]) by air189.startdedicated.com (8.11.6/8.11.6) with ESMTP id i2KJSWo24702 for ; Sat, 20 Mar 2004 13:28:33 -0600 Received: from turing (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 2B67D3907B7; Sat, 20 Mar 2004 14:26:39 -0500 (EST) Received: with ECARTIS (v1.0.0; list oracle-l); Sat, 20 Mar 2004 14:25:35 -0500 (EST) X-Original-To: oracle-l@freelists.org Delivered-To: oracle-l@freelists.org Received: from hub-slc.firsthealth.com (hub-slc.firsthealth.com [209.180.88.35]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 9C0F5390780 for ; Sat, 20 Mar 2004 14:25:34 -0500 (EST) Received: from 10.1.114.34 by hub-slc.firsthealth.com with ESMTP ( Firsthealth.com (MMS v5.5.3)); Sat, 20 Mar 2004 12:30:31 -0600 Received: from SLCDOM-MTA by SLCM02.firsthealth.com with Novell_GroupWise; Sat, 20 Mar 2004 12:31:39 -0700 Message-ID: X-Mailer: Novell GroupWise Internet Agent 6.5.0 Date: Sat, 20 Mar 2004 12:31:08 -0700 From: "Stephen Andert" To: oracle-l@freelists.org, davidb158@hotmail.com Subject: Re: listener for external procedure MIME-Version: 1.0 X-WSS-ID: 6C42445D1294108-01-01 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-archive-position: 1342 X-ecartis-version: Ecartis v1.0.0 Sender: oracle-l-bounce@freelists.org Errors-To: oracle-l-bounce@freelists.org X-original-sender: StephenAndert@firsthealth.com Precedence: normal Reply-To: oracle-l@freelists.org X-list: oracle-l Hi David, First of all, I gathered this information from the 2nd Metalink hit when I searched for "listener extproc security" in less than 2 minutes. This list is a great resource, but it works best when some attempt has been made through traditional channels. Your SysAdmin is probably referring to Oracle Security Alert #57. A patch is available (see below). Apply the patch listed in the Patch Availability Matrix, or perform the steps required listed in the Workaround section. HTH. Stephen ---cut from metalink --- If the PL/SQL EXTPROC functionality is required in your Oracle installation, there are 5 steps that must be taken in order to protect against the potential security vulnerability identified above. 1. Create two Oracle Net Listeners, one for the Oracle database and one for PL/SQL EXTPROC. Do not specify any EXTPROC specific entries in the configuration files of the Oracle Listener for the database. Configure the Oracle Listener for PL/SQL EXTPROC with an IPC protocol address only. If TCP connectivity is required, configure a TCP protocol address, but use a port other than the one the Oracle Listener for the database is using. Ensure that the Oracle Listener created for PL/SQL EXTPROC runs as an unprivileged OS user (e.g., "nobody" on Unix). On Windows platforms, run the Oracle Net Listener process as an unprivileged user and not as the Windows LOCAL SYSTEM user. Give this user the OS privilege to "Logon as a service." 2. If you have configured the Oracle Listener for PL/SQL EXTPROC with a TCP protocol address, modify the EXTPROC specific entry in $ORACLE_HOME/NETWORK/ADMIN/TNSNAMES.ORA to reflect the correct port for the new Oracle Listener. 3. If you have configured the Listener for PL/SQL EXTPROC with a TCP protocol address, ensure that the connections to this Oracle Listener can only originate from the hosts that need access to EXTPROC by doing the following. Use the Oracle Net Services feature called "valid node checking" to allow or deny access to Oracle Server processes from network clients with specified IP addresses. Set the following parameters in $ORACLE_HOME/NETWORK/ADMIN/SQLNET.ORA ($ORACLE_HOME/NETWORK/ADMIN/PROTOCOL.ORA in Oracle8i and prior releases) to enable the valid node checking feature: tcp.validnode_checking = YES tcp.invited_nodes = {list of IP addresses} tcp.excluded_nodes = {list of IP addresses} The first parameter turns on the valid node checking feature. The latter two parameters respectively specify the IP addresses that are permitted to make network connections and those that are prohibited from making network connections to the Oracle Server processes. Restrict access to the Oracle Listener for PL/SQL EXTPROC only. A separate $ORACLE_HOME/NETWORK/ADMIN/SQLNET.ORA file is required for this Oracle Listener. You can store this file in any directory other than the one in which the database LISTENER.ORA and SQLNET.ORA files are located. Copy the LISTENER.ORA with the configuration of the Oracle Listener for PL/SQL EXTPROC into this other directory as well. Before starting the Oracle Listener for PL/SQL EXTPROC, set the TNS_ADMIN environment variable (or Windows Registry parameter) to specify the directory in which the new configuration files for PL/SQL EXTPROC are stored. 4. Ensure that the file permissions on separate $ORACLE_HOME/NETWORK/ADMIN/LISTENER.ORA are set at either 640 or 644. 5. Change the password for any privileged database account, or for an ordinary user given administrative privileges that grant the ability to add packages or libraries and access system privileges in the database (such as CREATE ANY LIBRARY), to a strong, meaningful password, different from the default that is provided during the initial installation of Oracle. Lock and expire all other accounts that are not being used in the database. Read Section 2 of the "Oracle9i Security Checklist" available on OTN at http://otn.oracle.com/deploy/security/oracle9i/pdf/9i_checklist.pdf for details. >>> davidb158@hotmail.com 03/19/04 09:52AM >>> Hi List, I posted a message on this topic a few days ago. I did not receive any reply due to my e-mail system issue. So I post it again. We would like to use InterMedia searching text content against a clob field. In order to create domain index for InterMedia, we have to configure listener for external procedure. But our system administrator says that it will open a security hole if we do this. Currentely we are running Oracle 8.1.7. Does any one know if this issue has been fixed in 8.1.7? Is there other way to do text searching instead of InterMedia? Thanks in advance for any inputs or forwarding previous replies. _________________________________________________________________ All the action. All the drama. Get NCAA hoops coverage at MSN Sports by ESPN. http://msn.espn.go.com/index.html?partnersite=espn ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request@freelists.org put 'unsubscribe' in the subject line. -- Archives are at http://www.freelists.org/archives/oracle-l/ FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html ----------------------------------------------------------------- ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request@freelists.org put 'unsubscribe' in the subject line. -- Archives are at http://www.freelists.org/archives/oracle-l/ FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html -----------------------------------------------------------------