Re: Different OS user to start/stop listener

From: Pete Finnigan <pete_at_petefinnigan.com>
Date: Fri, 04 Nov 2011 20:39:32 +0000
Message-ID: <4EB44D84.4080600_at_petefinnigan.com>



By setting this undocumented parameter you have allowed the listener to be authenticated remotely useing a password only if you set one or none if you dont set one!! this is muich worse security

You need a better solution,

cheers

Pete

LS Cheng wrote:
> Hi Peter
>
> The reason I am trying to do this is that I am going to give some
> operators privilege to start/stop listener and the database, hence I
> have created osoper group.
>
> The thing is that each operator has their own OS user and each of them
> requieres osoper, if only one user can manage the listener then I have a
> big problem, if the guy who started the listener is not in his shift I
> will have to call root to stop/kill his process.
>
> I just found the option to relax the security o revert to older version
> behaviour by setting LOCAL_OS_AUTHENTICATION_LISTENER to OFF, this
> solves the problem everyone in osdba and osoper group can start/stop the
> listener but the log problem still persists due to the 640 permission.
>
> If relaxing is not a good option, I guess my only choice to solve both
> issues is create a generic osoper user to manage the listener process?
>
> Thank you
>
> --
> LSC
>
>
> On Fri, Nov 4, 2011 at 7:30 PM, Pete Finnigan <pete_at_petefinnigan.com
> <mailto:pete_at_petefinnigan.com>> wrote:
>
> In 10g the local listener authentication worked at the OSDBA group
> level, in 11g it works at the user level hence you get this error
> message.
>
> You need to simply stop and start the listener with one user and make
> sure that user owns the logs.
>
> Doint relax security, Oracle have made the secruity of the listener
> stronger so it makes sense not to weaken it.
>
> cheers
>
> Pete
>
> LS Cheng wrote:
> > Hi
> > Does anyone know if it is possible to stop a listener started by
> another
> > user in 11gR2 (I am not sure if 10g had same behaviour).
> >
> > For instance I have user1 and user2 as dba users in the operating
> system,
> > if user1 starts listener then it seems that only user1 can stop the
> > listener, when trying with user2 I am getting
> >
> > TNS-01190: The user is not authorized to execute the requested
> listener
> > command
> >
> > I also have a problem with the logfile, since the listener
> logfiles are
> > created with 640 permission if I start the listener using a user
> who didnt
> > create this file before then nothing is written in the log, this
> obvious
> > due to 640 permission but the not so obvious thing is I dont get any
> > complaints when starting the listener as another user.
> >
> > Anyone's got experience with these issues :-? May be I need to
> relax some
> > security restrictions?
> >
> > Thanks
> >
> > --
> > LSC
> >
> >
> > --
> > http://www.freelists.org/webpage/oracle-l
> >
> >
> >
>
> --
>
> Pete Finnigan
> CEO and Founder
> PeteFinnigan.com Limited
>
> Specialists in database security.
>
> Makers of PFCLScan the database security auditing tool.
> Makers of PFCLObfuscate the tool to protect IPR in your PL/SQL
>
> If you need help to audit or secure an Oracle database, please ask for
> details of our training courses and consulting services
>
> Phone: +44 (0)1904 791188 <tel:%2B44%20%280%291904%20791188>
> Fax : +44 (0)1904 791188 <tel:%2B44%20%280%291904%20791188>
> Mob : +44 (0)7759 277220 <tel:%2B44%20%280%297759%20277220>
> email: pete_at_petefinnigan.com <mailto:pete_at_petefinnigan.com>
> site : http://www.petefinnigan.com
>
> Registered Office: 9 Beech Grove, Acomb, York, YO26 5LD, United Kingdom
> Company No : 4664901
> VAT No. : 940668114
>
> Please note that this email communication is intended only for the
> addressee and may contain confidential or privileged information. The
> contents of this email may be circulated internally within your
> organisation only and may not be communicated to third parties without
> the prior written permission of PeteFinnigan.com Limited. This email is
> not intended nor should it be taken to create any legal relations,
> contractual or otherwise.
>
>

-- 

Pete Finnigan
CEO and Founder
PeteFinnigan.com Limited

Specialists in database security.

Makers of PFCLScan the database security auditing tool.
Makers of PFCLObfuscate the tool to protect IPR in your PL/SQL

If you need help to audit or secure an Oracle database, please ask for
details of our training courses and consulting services

Phone: +44 (0)1904 791188
Fax  : +44 (0)1904 791188
Mob  : +44 (0)7759 277220
email: pete_at_petefinnigan.com
site : http://www.petefinnigan.com

Registered Office: 9 Beech Grove, Acomb, York, YO26 5LD, United Kingdom
Company No       : 4664901
VAT No.          : 940668114

Please note that this email communication is intended only for the
addressee and may contain confidential or privileged information. The
contents of this email may be circulated internally within your
organisation only and may not be communicated to third parties without
the prior written permission of PeteFinnigan.com Limited.  This email is
not intended nor should it be taken to create any legal relations,
contractual or otherwise.

--
http://www.freelists.org/webpage/oracle-l
Received on Fri Nov 04 2011 - 15:39:32 CDT

Original text of this message