Message-ID: <54F4EE1D.5070604@yahoo.com>
Date: Mon, 02 Mar 2015 18:11:25 -0500
From: "Mladen Gogala" <dmarc-noreply@freelists.org> (Redacted sender "mgogala@yahoo.com" for DMARC)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: oracle-l@freelists.org
Subject: Re: gcc compiler
References: <1211288883.1853437.1425324345912.JavaMail.yahoo@mail.yahoo.com> <CAAaXtLBZFhgnW+AWnHQp8tmwqhKmemcF7aot0TTwwVxzj_1mxQ@mail.gmail.com>
In-Reply-To: <CAAaXtLBZFhgnW+AWnHQp8tmwqhKmemcF7aot0TTwwVxzj_1mxQ@mail.gmail.com>
Content-Type: multipart/alternative;
 boundary="------------060303050008010807020901"
Sender: oracle-l-bounce@freelists.org
Errors-to: oracle-l-bounce@freelists.org
Precedence: normal
Reply-To: dmarc-noreply@freelists.org
--------------060303050008010807020901
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

Nope. So called "natural compilation" is an Oracle gimmick which doesn't 
require a compiler and will put the output into NCOMP_DLL$ table in the 
SYS schema. Gory details are here:

http://mgogala.byethost5.com/Native_PLSQL_Execution.html


On 03/02/2015 03:39 PM, MARK BRINSMEAD wrote:
> That is MOSTLY true.
>
> Starting in 10g, as I recall, Oracle has the ability to "natively 
> compile" PL/SQL code, though, and for that I suspect you will need the 
> C compilers. Natively compiled PL/SQL can be a significant performance 
> boost, perhaps enough that you would not want to sacrifice the capability.
>
> I understand the "remove the compilers" thing.  Its a pretty common 
> "security" measure, and its also sometimes done for change-control 
> purposes (to ensure that rogue developers cannot compile and deploy 
> new code on a production machine).
>
> In the case of a purpose-built Oracle database server, the measure may 
> not be nearly so "pointful", though, as it would be in other contexts.
>
> Do they plan to also remove all JDKs?  All JREs?  (What about the ones 
> inside the database?)  How do the security people plan to restrict 
> your ability to write shell scripts?  To upload executable code?  To 
> download executable code via HTTP?
>
> Perhaps it would be acceptable to keep the compilers in place, and 
> restrict ACCESS to them?  (For example, allow only members of the 
> group  "compiler-users" to run the C compiler, and then make the 
> database-owner account a member of that group to allow patching and 
> natively-compiled PL/SQL.)
>
> Anyway, be prepared to remove and re-install your compilers. In my 
> experience, people who have such rules don't seem to have a lot of 
> flexibility when it comes to enforcing them. Alternatively, be 
> prepared to compile/link your Oracle binaries on another host entirely 
> and resign yourself to the fact that one-off patches are going to be 
> more work than they strictly need to be.
>
> Removing the compilers will work.  But it will be a headache on occasion.
>
> On Mon, Mar 2, 2015 at 2:25 PM, Chris King <ckaj111@yahoo.ca 
> <mailto:ckaj111@yahoo.ca>> wrote:
>
>     Greetings all!
>     I’m doing a fresh installation of Oracle 12c and 11g on a new
>     linux RHEL6 server. Pre-requisites include gcc and gcc-c++
>     compilers. The system admin wants to remove these compilers after
>     installation because they constitute a security risk. I’m thinking
>     doing so should be okay, as long as these compilers are
>     re-installed when Oracle patches are applied. Does anyone have
>     experience doing this?
>     Thanks in advance.
>     ChrisK
>
>


-- 
Mladen Gogala
Oracle DBA
http://mgogala.freehostia.com


--------------060303050008010807020901
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Nope. So called "natural compilation"
      is an Oracle gimmick which doesn't require a compiler and will put
      the output into NCOMP_DLL$ table in the SYS schema. Gory details
      are here:<br>
      <br>
      <a class="moz-txt-link-freetext" href="http://mgogala.byethost5.com/Native_PLSQL_Execution.html">http://mgogala.byethost5.com/Native_PLSQL_Execution.html</a><br>
      <br>
      <br>
      On 03/02/2015 03:39 PM, MARK BRINSMEAD wrote:<br>
    </div>
    <blockquote
cite="mid:CAAaXtLBZFhgnW+AWnHQp8tmwqhKmemcF7aot0TTwwVxzj_1mxQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>
          <div>
            <div>
              <div>
                <div>
                  <div>
                    <div>That is MOSTLY true.<br>
                      <br>
                    </div>
                    Starting in 10g, as I recall, Oracle has the ability
                    to "natively compile" PL/SQL code, though, and for
                    that I suspect you will need the C compilers. 
                    Natively compiled PL/SQL can be a significant
                    performance boost, perhaps enough that you would not
                    want to sacrifice the capability.<br>
                    <br>
                  </div>
                  I understand the "remove the compilers" thing.  Its a
                  pretty common "security" measure, and its also
                  sometimes done for change-control purposes (to ensure
                  that rogue developers cannot compile and deploy new
                  code on a production machine).<br>
                  <br>
                </div>
                In the case of a purpose-built Oracle database server,
                the measure may not be nearly so "pointful", though, as
                it would be in other contexts.<br>
                <br>
              </div>
              Do they plan to also remove all JDKs?  All JREs?  (What
              about the ones inside the database?)  How do the security
              people plan to restrict your ability to write shell
              scripts?  To upload executable code?  To download
              executable code via HTTP?<br>
              <br>
            </div>
            Perhaps it would be acceptable to keep the compilers in
            place, and restrict ACCESS to them?  (For example, allow
            only members of the group  "compiler-users" to run the C
            compiler, and then make the database-owner account a member
            of that group to allow patching and natively-compiled
            PL/SQL.)<br>
            <br>
          </div>
          Anyway, be prepared to remove and re-install your compilers. 
          In my experience, people who have such rules don't seem to
          have a lot of flexibility when it comes to enforcing them. 
          Alternatively, be prepared to compile/link your Oracle
          binaries on another host entirely and resign yourself to the
          fact that one-off patches are going to be more work than they
          strictly need to be.<br>
          <br>
        </div>
        Removing the compilers will work.  But it will be a headache on
        occasion.<br>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Mon, Mar 2, 2015 at 2:25 PM, Chris
          King <span dir="ltr">&lt;<a moz-do-not-send="true"
              href="mailto:ckaj111@yahoo.ca" target="_blank">ckaj111@yahoo.ca</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div>
              <div
                style="color:#000;background-color:#fff;font-family:HelveticaNeue,Helvetica
                Neue,Helvetica,Arial,Lucida
                Grande,sans-serif;font-size:16px">
                <div dir="ltr">
                </div>
                <div><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">Greetings
                    all!</span></div>
                <div><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"> </span></div>
                <div><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">I’m
                    doing a fresh installation of Oracle 12c and 11g on
                    a new linux
                    RHEL6 server. Pre-requisites include gcc and gcc-c++
                    compilers. The system
                    admin wants to remove these compilers after
                    installation because they
                    constitute a security risk. I’m thinking doing so
                    should be okay, as long as these
                    compilers are re-installed when Oracle patches are
                    applied. Does anyone have
                    experience doing this?</span></div>
                <div><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"> </span></div>
                <div><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">Thanks
                    in advance.</span></div>
                <div><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">ChrisK</span></div>
                <div dir="ltr"><br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
    <br>
    <pre class="moz-signature" cols="72">-- 
Mladen Gogala
Oracle DBA
<a class="moz-txt-link-freetext" href="http://mgogala.freehostia.com">http://mgogala.freehostia.com</a>
</pre>
  </body>
</html>

--------------060303050008010807020901--
--
http://www.freelists.org/webpage/oracle-l