Security in OWAS 3.0

From: <dipascua_at_seciu.edu.uy>
Date: 1998/03/04
Message-ID: <6dke8c$u43$1_at_nnrp1.dejanews.com>#1/1

We are implementing a service using OWAS 3.0 and Workgroup Server 7.3.2 on Solaris 2.5.1 x86, and I have the following doubts : 1 - On the on-line documentation of OWAS, it is recommended to use ports higher than 1024 so that there be no need to run the listener as root. In case there be need to user port 80, it is recommended to set 0 as maximum number of connections of root's listener, and readress all connection attempts over the maximum allowed to the listener with lower grants. First problem : the minimum figure possible in the field of 'Max.Connect Count' is 1.
Second problem : when setting 1, readdressing seems to work out good, but the listener start sending several messages per second to the stdout and to the log, saying 'Information: The server has reached its maximum number of connections. Listening will be suspended temporarily'. One possible solution to this could be specify the log file of the listener as /dev/null, buy I don't really think it is a good option. Besides, when I use this way, SOMETIMES the browser displays the message 'The request did no specify a valid virtual host'.

2 - Do I really need to follow that mechanism? When a listener is executed, two process 'oraweb' are run, one son of the other. The father run with the grants of the user which executed the listener, but the son runs with that of the user specified in the listener's configuration. In case the son be executed, for instance, as 'nobody', is the system's security still compromised since the father is running as 'root'?

3 - In case everything works out good, is there any disadvantage in using the readressing mechanism?

Please, I do need help given that I couldn't find any documentation about this on the Internet, and our local Oracle Technical Service couldn't give me any clue about it either.

Thanks.

Diego Di Pascua
dipascua_at_seciu.edu.uy
SECIU - Universidad de la Republica

-----== Posted via Deja News, The Leader in Internet Discussion ==----- http://www.dejanews.com/ Now offering spam-free web-based newsreading Received on Wed Mar 04 1998 - 00:00:00 CET

This message: [ Message body ]
Next message: BBB: "Oracle 8.04 External Prozedure Call"
Previous message: Mark Cudmore: "Re: Help: How to make table available to other users"
Next in thread: Laurie D. Miller: "Re: Security in OWAS 3.0"
Reply: Laurie D. Miller: "Re: Security in OWAS 3.0"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message