Re: gcc compiler

From: Mladen Gogala <mgogala_at_yahoo.com>
Date: Mon, 02 Mar 2015 18:11:25 -0500
Message-ID: <54F4EE1D.5070604_at_yahoo.com>

Nope. So called "natural compilation" is an Oracle gimmick which doesn't require a compiler and will put the output into NCOMP_DLL$ table in the SYS schema. Gory details are here:

http://mgogala.byethost5.com/Native_PLSQL_Execution.html

On 03/02/2015 03:39 PM, MARK BRINSMEAD wrote:
> That is MOSTLY true.
>
> Starting in 10g, as I recall, Oracle has the ability to "natively
> compile" PL/SQL code, though, and for that I suspect you will need the
> C compilers. Natively compiled PL/SQL can be a significant performance
> boost, perhaps enough that you would not want to sacrifice the capability.
>
> I understand the "remove the compilers" thing. Its a pretty common
> "security" measure, and its also sometimes done for change-control
> purposes (to ensure that rogue developers cannot compile and deploy
> new code on a production machine).
>
> In the case of a purpose-built Oracle database server, the measure may
> not be nearly so "pointful", though, as it would be in other contexts.
>
> Do they plan to also remove all JDKs? All JREs? (What about the ones
> inside the database?) How do the security people plan to restrict
> your ability to write shell scripts? To upload executable code? To
> download executable code via HTTP?
>
> Perhaps it would be acceptable to keep the compilers in place, and
> restrict ACCESS to them? (For example, allow only members of the
> group "compiler-users" to run the C compiler, and then make the
> database-owner account a member of that group to allow patching and
> natively-compiled PL/SQL.)
>
> Anyway, be prepared to remove and re-install your compilers. In my
> experience, people who have such rules don't seem to have a lot of
> flexibility when it comes to enforcing them. Alternatively, be
> prepared to compile/link your Oracle binaries on another host entirely
> and resign yourself to the fact that one-off patches are going to be
> more work than they strictly need to be.
>
> Removing the compilers will work. But it will be a headache on occasion.
>
> On Mon, Mar 2, 2015 at 2:25 PM, Chris King <ckaj111_at_yahoo.ca
> <mailto:ckaj111_at_yahoo.ca>> wrote:
>
> Greetings all!
> I’m doing a fresh installation of Oracle 12c and 11g on a new
> linux RHEL6 server. Pre-requisites include gcc and gcc-c++
> compilers. The system admin wants to remove these compilers after
> installation because they constitute a security risk. I’m thinking
> doing so should be okay, as long as these compilers are
> re-installed when Oracle patches are applied. Does anyone have
> experience doing this?
> Thanks in advance.
> ChrisK
>
>

-- 
Mladen Gogala
Oracle DBA
http://mgogala.freehostia.com


--
http://www.freelists.org/webpage/oracle-l

Received on Tue Mar 03 2015 - 00:11:25 CET

This message: [ Message body ]
Next message: Tanel Poder: "Re: gcc compiler"
Previous message: Hans Forbrich: "Re: gcc compiler"
Maybe in reply to: Chris King: "gcc compiler"
Next in thread: Tanel Poder: "Re: gcc compiler"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message