RE: Listener and extproc security
Date: Thu, 3 Jan 2008 12:15:23 -0500
As far as I know, and I have set up extproc's in 9i and have them in 10g as well, you should set up a separate listener for extproc with IPC only as the protocol in use. In 9i setting it up as TCP was "unsupported" and I really don't have any idea if it worked or not mainly because I didn't try. It was suppose to be a supported capability in 10g, why I surely don't know. But, if your going to use extproc's make sure they don't run as the Oracle owner, but as nobody in Unix/Linux or the windows equivalent if your on that platform. The reason is that you could allow an extproc to have all the rights to the database executables and files as the Oracle owner which has it's own bad consequences. BTW: I did get extproc to work through the main listener as well with no problems. It's just a potential security issue if you use it that way.
Dick Goulet / Capgemini
North America P&C / East Business Unit
Senior Oracle DBA / Hosting
Office: 508.573.1978 / Mobile: 508.742.5795 / www.capgemini.com Fax: 508.229.2019 / Email: richard.goulet_at_capgemini.com 45 Bartlett St. / Marlborough, MA 01752
Together: the Collaborative Business Experience
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Jason Heinrich Sent: Thursday, January 03, 2008 11:02 AM To: oracle-l
Subject: Listener and extproc security
I'm looking for clarification on securing extproc, specifically in regards to accessing it over TCP in 10.2.0.3. My understanding is that a separate listener is recommended for extproc which only listens to IPC calls. Otherwise, if the database listener was used, extproc and any allowed libraries on the server could be accessed remotely via TCP.
Most of what I've read on this is from a 9i security bulletin, but I haven't seen anything so far that says the situation has changed in 10g. Is my understanding of the situation correct, and is this still the recommended configuration? I want to make sure I have my facts strait before I recommend this to my coworkers.
-- Jason Heinrich This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. -- http://www.freelists.org/webpage/oracle-lReceived on Thu Jan 03 2008 - 11:15:23 CST