Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: listener for external procedure

Re: listener for external procedure

From: David Boyd <davidb158_at_hotmail.com>
Date: Mon, 22 Mar 2004 10:22:50 -0500
Message-ID: <BAY2-F89adXVDYPs9M900058290@hotmail.com> 





Stephen,



Thanks so much for your valuable info.  I'll forward it to our SA.




>From: "Stephen Andert" <StephenAndert_at_firsthealth.com>

>Reply-To: oracle-l_at_freelists.org

>To: oracle-l_at_freelists.org, davidb158_at_hotmail.com

>Subject: Re: listener for external procedure

>Date: Sat, 20 Mar 2004 12:31:08 -0700

>

>Hi David,

>

>First of all, I gathered this information from the 2nd Metalink hit

>when I searched for "listener extproc security" in less than 2 minutes.

>This list is a great resource, but it works best when some attempt has

>been made through traditional channels.

>

>Your SysAdmin is probably referring to Oracle Security Alert #57.  A

>patch is available (see below). Apply the patch listed in the Patch

>Availability Matrix, or perform the steps required listed in the

>Workaround section.

>

>HTH.


>Stephen

>---cut from metalink ---

>

>If the PL/SQL EXTPROC functionality is required in your Oracle

>installation, there are 5 steps that must be taken in order to protect

>against the potential security vulnerability identified above.

>

>1. Create two Oracle Net Listeners, one for the Oracle database and one

>for PL/SQL EXTPROC.

>

>Do not specify any EXTPROC specific entries in the configuration files

>of the Oracle Listener for the database.

>

>Configure the Oracle Listener for PL/SQL EXTPROC with an IPC protocol

>address only.

>

>If TCP connectivity is required, configure a TCP protocol address, but

>use a port other than the one the Oracle Listener for the database is

>using. Ensure that the Oracle Listener created for PL/SQL EXTPROC runs

>as an unprivileged OS user (e.g., "nobody" on Unix). On Windows

>platforms, run the Oracle Net Listener process as an unprivileged user

>and not as the Windows LOCAL SYSTEM user. Give this user the OS

>privilege to "Logon as a service."

>

>2. If you have configured the Oracle Listener for PL/SQL EXTPROC with a

>TCP protocol address, modify the EXTPROC specific entry in

>$ORACLE_HOME/NETWORK/ADMIN/TNSNAMES.ORA to reflect the correct port for

>the new Oracle Listener.

>

>3. If you have configured the Listener for PL/SQL EXTPROC with a TCP

>protocol address, ensure that the connections to this Oracle Listener

>can only originate from the hosts that need access to EXTPROC by doing

>the following.

>

>Use the Oracle Net Services feature called "valid node checking" to

>allow or deny access to Oracle Server processes from network clients

>with specified IP addresses. Set the following parameters in

>$ORACLE_HOME/NETWORK/ADMIN/SQLNET.ORA


>($ORACLE_HOME/NETWORK/ADMIN/PROTOCOL.ORA in Oracle8i and prior releases)

>to enable the valid node checking feature:

>

>tcp.validnode_checking = YES

>

>tcp.invited_nodes = {list of IP addresses}

>

>tcp.excluded_nodes = {list of IP addresses}

>

>The first parameter turns on the valid node checking feature. The

>latter two parameters respectively specify the IP addresses that are

>permitted to make network connections and those that are prohibited from

>making network connections to the Oracle Server processes.

>

>Restrict access to the Oracle Listener for PL/SQL EXTPROC only. A

>separate $ORACLE_HOME/NETWORK/ADMIN/SQLNET.ORA file is required for this

>Oracle Listener. You can store this file in any directory other than the

>one in which the database LISTENER.ORA and SQLNET.ORA files are located.

>Copy the LISTENER.ORA with the configuration of the Oracle Listener for

>PL/SQL EXTPROC into this other directory as well. Before starting the

>Oracle Listener for PL/SQL EXTPROC, set the TNS_ADMIN environment

>variable (or Windows Registry parameter) to specify the directory in

>which the new configuration files for PL/SQL EXTPROC are stored.

>

>4. Ensure that the file permissions on separate

>$ORACLE_HOME/NETWORK/ADMIN/LISTENER.ORA are set at either 640 or 644.

>

>5. Change the password for any privileged database account, or for an

>ordinary user given administrative privileges that grant the ability to

>add packages or libraries and access system privileges in the database

>(such as CREATE ANY LIBRARY), to a strong, meaningful password,

>different from the default that is provided during the initial

>installation of Oracle.

>

>Lock and expire all other accounts that are not being used in the

>database. Read Section 2 of the "Oracle9i Security Checklist" available

>on OTN at

>http://otn.oracle.com/deploy/security/oracle9i/pdf/9i_checklist.pdf

>for details.

>

>

>

>

>

> >>> davidb158_at_hotmail.com 03/19/04 09:52AM >>>

>Hi List,

>

>I posted a message on this topic a few days ago.  I did not receive any

>

>reply due to my e-mail system issue.  So I post it again.

>

>We would like to use InterMedia searching text content against a clob

>field.

>   In order to create domain index for InterMedia, we have to configure

>

>listener for external procedure.  But our system administrator says

>that it

>will open a security hole if we do this.  Currentely we are running

>Oracle

>8.1.7.  Does any one know if this issue has been fixed in 8.1.7?  Is

>there

>other way to do text searching instead of InterMedia?

>

>Thanks in advance for any inputs or forwarding previous replies.

>

>_________________________________________________________________

>All the action. All the drama. Get NCAA hoops coverage at MSN Sports by

>

>ESPN. http://msn.espn.go.com/index.html?partnersite=espn

>

>----------------------------------------------------------------

>Please see the official ORACLE-L FAQ: http://www.orafaq.com

>----------------------------------------------------------------

>To unsubscribe send email to:  oracle-l-request_at_freelists.org

>put 'unsubscribe' in the subject line.

>--

>Archives are at http://www.freelists.org/archives/oracle-l/

>FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html

>-----------------------------------------------------------------

>

>

>----------------------------------------------------------------

>Please see the official ORACLE-L FAQ: http://www.orafaq.com

>----------------------------------------------------------------

>To unsubscribe send email to:  oracle-l-request_at_freelists.org

>put 'unsubscribe' in the subject line.

>--

>Archives are at http://www.freelists.org/archives/oracle-l/

>FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html

>-----------------------------------------------------------------






Free up your inbox with MSN Hotmail Extra Storage. Multiple plans available. 
http://click.atdmt.com/AVE/go/onm00200362ave/direct/01/





Please see the official ORACLE-L FAQ: http://www.orafaq.com




To unsubscribe send email to:  oracle-l-request_at_freelists.org
put 'unsubscribe' in the subject line.

--
Archives are at http://www.freelists.org/archives/oracle-l/
FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------


Received on Mon Mar 22 2004 - 09:20:53 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US