-
pwd protect the lsnr...WHY??? WHY NOT???
In Oracle 9i Rel 2 on AIX 5.2
(40 db servers behind a firewall and internal use only)
Why is it necessary to passord protect the listener? I don't see any reason to do it. Please give me both sides of the argument.
thanks all :-)
John
-
what about protecting it from internal people?
-
Protecting from client users and non-admin users
I suppose that it could be to protect from a user running the lsnrctl stop command. I'm just looking for some info that makes it necessary, and the client is not able to give me any tagible reason why. My theory is that if the OS level users are gioven proper privileges than no-one should have privileges to execute that command except those granted execute permissions. I hope this helps.
Thanks for your input...
-
Originally Posted by jwillette
I suppose that it could be to protect from a user running the lsnrctl stop command. I'm just looking for some info that makes it necessary, and the client is not able to give me any tagible reason why. My theory is that if the OS level users are gioven proper privileges than no-one should have privileges to execute that command except those granted execute permissions. I hope this helps.
Thanks for your input...
1+1=2
or
1+2-3+4-2=2
Your wish is your preference
"What is past is PROLOGUE"
-
-
listener security..why?...why not?
Thank you for the input...I have discovered that is the OS level security and the extproc functionality is secure and removed, then there is no fear of a remote attack on the listener. Tested it out and found that I could not stop the lsnr remotely unless the extproc entry was in the listener.ora file. Also, The OS privilege on UNIX must be set to -rwxr--r-- or -rwx------ for the lsnrctl, tnslsnr and listener.ora files which allows only read or no permissions for anyone who is not in the correct group and the "oracle" user and "dba" groups.
-
Not sure about the necessity but I am more concerned how to automate startup/shutdown process.
/init.d/dbora usually has entrie like those:
lsnrctl start
lsnrctl stop
With password option set this will become invalid and return:
TNS-01169: The listener has not recognized the password
Any ideas?
-
cat $ORACLE_HOME/network/admin/listener.ora | grep '^LISTENER' | awk -F" " '{print $1}' | while read LINE
do
case $LINE in
*)
case "$1" in
'stop') $ORACLE_HOME/bin/$LSNRCTL <
set password gd_05
stop $LINE
quit
EOF
echo "$LINE is stopped"
;;
*) ;;
esac
;;
esac
done
-
Thank you for your input..after checking more than 12 different forums and message boards, I have this conclusion to make: It is up to the DBA/company what, if any password protection is used for the listener. if your going to use it, the for DBSHUT and DBSTART use the following code;
#!/usr/bin/sh
lsnrctl << EOF
set current_listener
set password
stop
exit
EOF
modify it as you require.
As for encryption it is virtually useless. Why you ask...If a user has the privilege to look at the listener.ora file, he can copy and paste the encrypoted password into his connect string, there-by rendering the encrypted password protection useless. Use pwd protection on the listener for cases where alot of users/developers have access to the ORACLE_HOME directory tree.
Thanks all for your input.....I'm Out
Peyton is the best QB in all the land
-
Originally Posted by jwillette
...If a user has the privilege to look at the listener.ora file, he can
Peyton is the best QB in all the land
that's why you should always check permissions, so world can't see your setup/scripts/text files.
Thanks for your kind words on Peyton, we rather love him here in Indy...
"False data can act only as a distraction. Therefore. I shall refuse to perceive you." - Bomb #20
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|