Re: No local connection via sqlplus (TNS:lost contact)

From: Laurenz Albe <invite_at_spam.to.invalid>
Date: 28 Nov 2005 09:22:15 GMT
Message-ID: <1133169721.473434@proxy.dienste.wien.at>

Thorsten Jens <thojens_at_gmx.de> wrote:

>> >Any ideas?
>>
>> LD_LIBRARY_PATH or LIBPATH issue?

>
> (to you and all the people who pointed me to LD_LIBRARY_PATH)
> PATH and LD_LIBRARY_PATH are the same for both users, LIBPATH is set
> for neither of them! Even specifying LD_LIBRARY_PATH directly brings no
> improvement. Check this out:
> ------------------------------------------------------------
> oracle_at_xxx ~ $ LD_LIBRARY_PATH=/oracle/product/9.2.0/lib ldd `which
> oracle`
> libodm9.so => /oracle/product/9.2.0/lib/libodm9.so
[...]
> ------------------------------------------------------------
>
> Copy and pasting the exact same line to the other user:
> ------------------------------------------------------------
> oraload_at_xxx ~ $ LD_LIBRARY_PATH=/oracle/product/9.2.0/lib ldd `which
> oracle`
> libodm9.so => (file not found)

I think I know what your problem is.

To sum up the situation:
The oracle executable has the SETUID and SETGID bits set as it should, but only the oracle user can connect via sqlplus, other users in the dba group cannot. Setting LD_LIBRARY_PATH does not help.

Was this correct so far?

The problem is that because the SETUID bit is set, the LD_LIBRARY_PATH is ignored for the executable for other users. This is to prevent a security leak: else you could set LD_LIBRARY_PATH to a forged libc library and get it executed as root by invoking su, for example.

The solution is to add /oracle/product/9.2.0/lib to the trusted library path with crle.

Check with your system documentation as I have no Solaris in reach, but crle -uvs/oracle/product/9.2.0/lib
should do the trick.

Is there an RPATH in Solaris? If yes, that would be another possibility: relink the oracle executable so that it directly references the correct library path.

Yours,
Laurenz Albe Received on Mon Nov 28 2005 - 03:22:15 CST