RE: Listener and extproc security

From: Goulet, Dick <>
Date: Thu, 3 Jan 2008 12:15:23 -0500
Message-ID: <>


            As far as I know, and I have set up extproc's in 9i and have them in 10g as well, you should set up a separate listener for extproc with IPC only as the protocol in use. In 9i setting it up as TCP was "unsupported" and I really don't have any idea if it worked or not mainly because I didn't try. It was suppose to be a supported capability in 10g, why I surely don't know. But, if your going to use extproc's make sure they don't run as the Oracle owner, but as nobody in Unix/Linux or the windows equivalent if your on that platform. The reason is that you could allow an extproc to have all the rights to the database executables and files as the Oracle owner which has it's own bad consequences. BTW: I did get extproc to work through the main listener as well with no problems. It's just a potential security issue if you use it that way.  

Dick Goulet / Capgemini
North America P&C / East Business Unit
Senior Oracle DBA / Hosting
Office: 508.573.1978 / Mobile: 508.742.5795 / Fax: 508.229.2019 / Email: 45 Bartlett St. / Marlborough, MA 01752

Together: the Collaborative Business Experience

[] On Behalf Of Jason Heinrich Sent: Thursday, January 03, 2008 11:02 AM To: oracle-l
Subject: Listener and extproc security  

I'm looking for clarification on securing extproc, specifically in regards to accessing it over TCP in My understanding is that a separate listener is recommended for extproc which only listens to IPC calls. Otherwise, if the database listener was used, extproc and any allowed libraries on the server could be accessed remotely via TCP.

Most of what I've read on this is from a 9i security bulletin, but I haven't seen anything so far that says the situation has changed in 10g. Is my understanding of the situation correct, and is this still the recommended configuration? I want to make sure I have my facts strait before I recommend this to my coworkers.

Jason Heinrich 

This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient,  you are not authorized to read, print, retain, copy, disseminate,  distribute, or use this message or any part thereof. If you receive this  message in error, please notify the sender immediately and delete all  copies of this message.

Received on Thu Jan 03 2008 - 11:15:23 CST

Original text of this message