Re: Different OS user to start/stop listener

From: LS Cheng <exriscer_at_gmail.com>
Date: Fri, 4 Nov 2011 21:19:57 +0100
Message-ID: <CAJ2-Qb_Nh52ccsREQGAXh5nXO9Zu66d=-F=OvS=wEKV=TdpBnA_at_mail.gmail.com>

Hi Peter
The reason I am trying to do this is that I am going to give some operators privilege to start/stop listener and the database, hence I have created osoper group.

The thing is that each operator has their own OS user and each of them requieres osoper, if only one user can manage the listener then I have a big problem, if the guy who started the listener is not in his shift I will have to call root to stop/kill his process.

I just found the option to relax the security o revert to older version behaviour by setting LOCAL_OS_AUTHENTICATION_LISTENER to OFF, this solves the problem everyone in osdba and osoper group can start/stop the listener but the log problem still persists due to the 640 permission.

If relaxing is not a good option, I guess my only choice to solve both issues is create a generic osoper user to manage the listener process?

Thank you

--
LSC


On Fri, Nov 4, 2011 at 7:30 PM, Pete Finnigan <pete_at_petefinnigan.com> wrote:



> In 10g the local listener authentication worked at the OSDBA group

> level, in 11g it works at the user level hence you get this error message.

>

> You need to simply stop and start the listener with one user and make

> sure that user owns the logs.

>

> Doint relax security, Oracle have made the secruity of the listener

> stronger so it makes sense not to weaken it.

>

> cheers

>

> Pete

>

> LS Cheng wrote:

> > Hi

> > Does anyone know if it is possible to stop a listener started by another

> > user in 11gR2 (I am not sure if 10g had same behaviour).

> >

> > For instance I have user1 and user2 as dba users in the operating system,

> > if user1 starts listener then it seems that only user1 can stop the

> > listener, when trying with user2 I am getting

> >

> > TNS-01190: The user is not authorized to execute the requested listener

> > command

> >

> > I also have a problem with the logfile, since the listener logfiles are

> > created with 640 permission if I start the listener using a user who

> didnt

> > create this file before then nothing is written in the log, this obvious

> > due to 640 permission but the not so obvious thing is I dont get any

> > complaints when starting the listener as another user.

> >

> > Anyone's got experience with these issues :-? May be I need to relax some

> > security restrictions?

> >

> > Thanks

> >

> > --

> > LSC

> >

> >

> > --

> > http://www.freelists.org/webpage/oracle-l

> >

> >

> >

>

> --

>

> Pete Finnigan

> CEO and Founder

> PeteFinnigan.com Limited

>

> Specialists in database security.

>

> Makers of PFCLScan the database security auditing tool.

> Makers of PFCLObfuscate the tool to protect IPR in your PL/SQL

>

> If you need help to audit or secure an Oracle database, please ask for

> details of our training courses and consulting services

>

> Phone: +44 (0)1904 791188

> Fax  : +44 (0)1904 791188

> Mob  : +44 (0)7759 277220

> email: pete_at_petefinnigan.com

> site : http://www.petefinnigan.com

>

> Registered Office: 9 Beech Grove, Acomb, York, YO26 5LD, United Kingdom

> Company No       : 4664901

> VAT No.          : 940668114

>

> Please note that this email communication is intended only for the

> addressee and may contain confidential or privileged information. The

> contents of this email may be circulated internally within your

> organisation only and may not be communicated to third parties without

> the prior written permission of PeteFinnigan.com Limited.  This email is

> not intended nor should it be taken to create any legal relations,

> contractual or otherwise.

>

>



--
http://www.freelists.org/webpage/oracle-l

Received on Fri Nov 04 2011 - 15:19:57 CDT