Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> LSNRCTL Password is not Necessarily Useless

LSNRCTL Password is not Necessarily Useless

From: MacGregor, Ian A. <ian_at_SLAC.Stanford.EDU>
Date: Sat, 12 May 2001 11:36:03 -0700
Message-ID: <F001.0030201A.20010512112524@fatcity.com> 






The Oracle listener has a major security  hole.  The following is taken from some 
patch notes.




#     The patch allows a database administrator to restrict run-time



  #     administration of the Oracle listener program. A new parameter,




  #     ADMIN_RESTRICTIONS_LISTENER, has been introduced into listener.ora,




  #     the control file for the Oracle listener program.




  #     Setting ADMIN_RESTRICTIONS_LISTENER=ON prevents the vulnerability




  #     from being exploited by disabling the run-time modification of




  #     parameters in listener.ora. That is, the listener program will




  #     refuse to accept SET commands that alter its parameters and




  #     attempting to issue a SET command will result in the generation




  #     of an error message. Thus, to change any one of the parameters




  #     in listener.ora, including ADMIN_RESTRICTIONS_LISTENER itself,




  #     this file needs to be edited manually and its parameters need to be




  #     reloaded manually (e.g., lsnrctl reload) for the new changes to




  #     take effect without explicitly stopping and restarting the




  #     listener program. Operating system access to the protected Oracle




  #     account owner directories and files is required to edit listener.ora.




  #




  #     Note that the Oracle account owner directories and files must be




  #     protected in the operating system by setting the access control




  #     permissions on them as recommended by Oracle Corporation in its




  #     user manuals.




  #




  #     ADMIN_RESTRICTIONS_LISTENER=OFF is the default




  #     value when the listener program is installed in order to maintain




  #     current customer environments and backward compatibility. There




  #     is no change in the run-time behavior of the listener program or




  #     in syntax of the SET commands in this mode of operation.  Oracle




  #     Corporation recommends establishing the listener program password




  #     in this mode of operation.




  #




Note, it's any parameter!  Anyone exploiting this bug can overwrite any Oracle file. I 
don't know when the bug was introduced. I believe all net 8 listeners are vulnerable.  
You do not need to patch the 8.1.7 listener but you do need to set the 
ADMIN_RESTRICTIONS_LISTENER parameter.  There are patches for 8.1.6.0, .1, and .2, but 
not as far as I know for 8.1.6.3.  The patches allow you  to set the above parameter.  
If there is no patch, you need to set a password.  There are patches for 8.0.6 as 
well. 



This is bug 1361722



Ian MacGregor


Stanford Linear Accelerator Center


ian_at_slac.stanford.edu   



-----Original Message-----


Sent: Wednesday, May 09, 2001 6:50 PM


To: Multiple recipients of list ORACLE-L





I see someone has already given you instructions on how
to use a password with listener.ora.



Just thought I might add that they are fairly useless, as you
*cannot* prevent someone with dba group privileges on another
node of the network from shutting down your listener.



They won't be able to start it, but they'll sure be able to shut
it down, and you can't keep them from doing it.



We ran into this at my last employer, and decided passwords
on the listener were a waste of time.



Jared




On Wednesday 09 May 2001 15:45, Smith, Ron L. wrote:
> Can anyone tell me what the syntax is to start, stop, or reload the
> listener when there is a password on it?

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Jared Still
  INET: jkstill_at_cybcon.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: MacGregor, Ian A.
  INET: ian_at_SLAC.Stanford.EDU

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Sat May 12 2001 - 13:36:03 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US