Re: Listener and extproc security
Date: Thu, 3 Jan 2008 12:01:42 -0600
A Google Books search turned up some additional information.* Apparently Oracle made a change to the listener in 9.2 so that it will only fulfill extproc requests from the local machine. Requests from other hosts get logged. I don't have an environment set up at the moment to easily test this though.
- Special Ops: Host and Network Security for Microsoft Unix and Oracle, byErik Pace Birkholz, p. 686
On 1/3/08, Goulet, Dick <richard.goulet_at_capgemini.com> wrote:
> As far as I know, and I have set up extproc's in 9i and have
> them in 10g as well, you should set up a separate listener for extproc with
> IPC only as the protocol in use. In 9i setting it up as TCP was
> "unsupported" and I really don't have any idea if it worked or not mainly
> because I didn't try. It was suppose to be a supported capability in 10g,
> why I surely don't know. But, if your going to use extproc's make sure they
> don't run as the Oracle owner, but as nobody in Unix/Linux or the windows
> equivalent if your on that platform. The reason is that you could allow an
> extproc to have all the rights to the database executables and files as the
> Oracle owner which has it's own bad consequences. BTW: I did get extproc to
> work through the main listener as well with no problems. It's just a
> potential security issue if you use it that way.
> Dick Goulet / *Capgemini*
> North America P&C / East Business Unit
> Senior Oracle DBA / Hosting
> Office: 508.573.1978 / Mobile: 508.742.5795 / www.capgemini.com
> Fax: 508.229.2019 / Email: *richard.goulet_at_capgemini.com*
> 45 Bartlett St. / Marlborough, MA 01752
> *Together: the Collaborative Business Experience *
> *From:* oracle-l-bounce_at_freelists.org [mailto:
> oracle-l-bounce_at_freelists.org] *On Behalf Of *Jason Heinrich
> *Sent:* Thursday, January 03, 2008 11:02 AM
> *To:* oracle-l
> *Subject:* Listener and extproc security
> I'm looking for clarification on securing extproc, specifically in regards
> to accessing it over TCP in 10.2.0.3. My understanding is that a separate
> listener is recommended for extproc which only listens to IPC calls.
> Otherwise, if the database listener was used, extproc and any allowed
> libraries on the server could be accessed remotely via TCP.
> Most of what I've read on this is from a 9i security bulletin, but I
> haven't seen anything so far that says the situation has changed in 10g. Is
> my understanding of the situation correct, and is this still the recommended
> configuration? I want to make sure I have my facts strait before I
> recommend this to my coworkers.
> Jason Heinrich
> This message contains information that may be privileged or confidential
> and is the property of the Capgemini Group. It is intended only for the
> person to whom it is addressed. If you are not the intended recipient, you
> are not authorized to read, print, retain, copy, disseminate, distribute, or
> use this message or any part thereof. If you receive this message in error,
> please notify the sender immediately and delete all copies of this message.
-- Jason Heinrich -- http://www.freelists.org/webpage/oracle-lReceived on Thu Jan 03 2008 - 12:01:42 CST