DBAsupport.com Forums - Powered by vBulletin
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: pwd protect the lsnr...WHY??? WHY NOT???

  1. #1
    Join Date
    Jan 2006
    Posts
    5

    pwd protect the lsnr...WHY??? WHY NOT???

    In Oracle 9i Rel 2 on AIX 5.2
    (40 db servers behind a firewall and internal use only)
    Why is it necessary to passord protect the listener? I don't see any reason to do it. Please give me both sides of the argument.
    thanks all :-)

    John

  2. #2
    Join Date
    Sep 2002
    Location
    England
    Posts
    7,334
    what about protecting it from internal people?

  3. #3
    Join Date
    Jan 2006
    Posts
    5

    Protecting from client users and non-admin users

    I suppose that it could be to protect from a user running the lsnrctl stop command. I'm just looking for some info that makes it necessary, and the client is not able to give me any tagible reason why. My theory is that if the OS level users are gioven proper privileges than no-one should have privileges to execute that command except those granted execute permissions. I hope this helps.

    Thanks for your input...

  4. #4
    Join Date
    Mar 2004
    Location
    DC,USA
    Posts
    650
    Quote Originally Posted by jwillette
    I suppose that it could be to protect from a user running the lsnrctl stop command. I'm just looking for some info that makes it necessary, and the client is not able to give me any tagible reason why. My theory is that if the OS level users are gioven proper privileges than no-one should have privileges to execute that command except those granted execute permissions. I hope this helps.

    Thanks for your input...
    1+1=2

    or

    1+2-3+4-2=2

    Your wish is your preference
    "What is past is PROLOGUE"

  5. #5
    Join Date
    May 2005
    Location
    AZ, USA
    Posts
    131

  6. #6
    Join Date
    Jan 2006
    Posts
    5

    listener security..why?...why not?

    Thank you for the input...I have discovered that is the OS level security and the extproc functionality is secure and removed, then there is no fear of a remote attack on the listener. Tested it out and found that I could not stop the lsnr remotely unless the extproc entry was in the listener.ora file. Also, The OS privilege on UNIX must be set to -rwxr--r-- or -rwx------ for the lsnrctl, tnslsnr and listener.ora files which allows only read or no permissions for anyone who is not in the correct group and the "oracle" user and "dba" groups.

  7. #7
    Join Date
    Jan 2006
    Posts
    5
    Not sure about the necessity but I am more concerned how to automate startup/shutdown process.
    /init.d/dbora usually has entrie like those:
    lsnrctl start

    lsnrctl stop

    With password option set this will become invalid and return:

    TNS-01169: The listener has not recognized the password

    Any ideas?

  8. #8
    Join Date
    May 2005
    Location
    AZ, USA
    Posts
    131
    cat $ORACLE_HOME/network/admin/listener.ora | grep '^LISTENER' | awk -F" " '{print $1}' | while read LINE
    do
    case $LINE in
    *)
    case "$1" in
    'stop') $ORACLE_HOME/bin/$LSNRCTL < set password gd_05
    stop $LINE
    quit
    EOF
    echo "$LINE is stopped"
    ;;
    *) ;;
    esac
    ;;
    esac
    done

  9. #9
    Join Date
    Jan 2006
    Posts
    5
    Thank you for your input..after checking more than 12 different forums and message boards, I have this conclusion to make: It is up to the DBA/company what, if any password protection is used for the listener. if your going to use it, the for DBSHUT and DBSTART use the following code;

    #!/usr/bin/sh
    lsnrctl << EOF
    set current_listener
    set password
    stop
    exit
    EOF

    modify it as you require.
    As for encryption it is virtually useless. Why you ask...If a user has the privilege to look at the listener.ora file, he can copy and paste the encrypoted password into his connect string, there-by rendering the encrypted password protection useless. Use pwd protection on the listener for cases where alot of users/developers have access to the ORACLE_HOME directory tree.

    Thanks all for your input.....I'm Out

    Peyton is the best QB in all the land

  10. #10
    Join Date
    Oct 2005
    Location
    Indianapolis
    Posts
    100
    Quote Originally Posted by jwillette
    ...If a user has the privilege to look at the listener.ora file, he can

    Peyton is the best QB in all the land
    that's why you should always check permissions, so world can't see your setup/scripts/text files.

    Thanks for your kind words on Peyton, we rather love him here in Indy...
    "False data can act only as a distraction. Therefore. I shall refuse to perceive you." - Bomb #20

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Click Here to Expand Forum to Full Width