External procedure calls are used by Intermedia. I don't know of any other Oracle
utility that does so, perhaps IFS, but that's just a guess. Any locally written
extenral procedures must be under the strictest control. You wouldn't want anyone to
write something that allowed the "rm" command. Don't grant the Oracle privilege
"create library" to anyone.
In order to use external procedures you need an entry in the tnsnames.ora file which
resembles
extproc_connection_data =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = extproc_key))
(CONNECT_DATA = (SID = extproc_agent))
)
A look at the listener log will show entries such as
08-FEB-2002 15:22:14 * (CONNECT_DATA=(SID=extproc_agent)) *
(ADDRESS=(PROTOCOL=ipc)(KEY=extproc_key)) * establish * extproc_agent * 0
08-FEB-2002 15:25:37 * (CONNECT_DATA=(SID=extproc_agent)) *
(ADDRESS=(PROTOCOL=ipc)(KEY=extproc_key)) * establish * extproc_agent * 0
========================================================================================================================
The external procedure listener should not be run as Oracle, but as a less privileged
account. In Unix this is typically nobody. If there is any reference to external
procedures under the normal Oracle listener remove it and add the following or
something similar to to the listener.ora file changing the listener's log directory
and Oracle Home as appropriate.
EXTPROC_LISTENER =
(ADDRESS_LIST =
(ADDRESS=
(PROTOCOL=IPC)
(KEY= extproc_key)
)
)
STARTUP_WAIT_TIME_EXTPROC_LISTENER = 0
CONNECT_TIMEOUT_EXTPROC_LISTENER = 30
LOG_DIRECTORY_EXTPROC_LISTENER = /xxx/xxx/xxx/xxx/xxx/xxx/xxx
LOG_FILE_EXTPROC_LISTENER = extproc_listener.log
SID_LIST_EXTPROC_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = extproc_agent)
(ORACLE_HOME=/xxx/xxx/xxx/xxx/xxx)
(PROGRAM = extproc)
)
)
TRACE_LEVEL_EXTPROC_LISTENER = OFF
------------------------------------------------------------------------------------------------------------------------
Always start the extproc_listner as "nobody". Now any command which called through
the extproc_listener runs under the nobody account and not the oracle account.
I wonder why this was not mentioned as a way to mitigate the problem? I would
definitely block incoming traffic on port 1521 at the external firewall. Then you
only need worry about compromises from inside CMU. Blocking 1521 at the firewall
removing the external procedure lines entirely from listener.ora would be the most
secure.
Ian MacGregor
Stanford Linear Accelerator Center
[EMAIL PROTECTED]
-----Original Message-----
Sent: Friday, February 08, 2002 12:25 PM
To: LazyDBA.com Discussion
So, I've been reading a bit about this security hole and figuring out what
exactly I can or should do about it.
One of the solutions is to remove PLSExtproc functionality altogether. I
am trying to figure out if I can do this. If I look in my listener.log
file, will I see entries for extproc listed there if it is being used? If
this is a valid assumption, can I then just remove the PLSExtproc
definition in my listener.ora and tnsnames.ora files and bounce the
listener, if I don't see extproc listed?
Changing the default port doesn't seem all that much of a fix as anybody
with a port scanner should be able to figure out what port the listener is
on anyway.
Thanks for any insight here.
--
Blue skies.
Dan Rossi
Carnegie Mellon University.
E-Mail: [EMAIL PROTECTED]
Tel: (412) 268-9081
--------
Oracle documentation is here: http://tahiti.oracle.com/pls/tahiti/tahiti.homepage
To unsubscribe: send a blank email to [EMAIL PROTECTED]
To subscribe: send a blank email to [EMAIL PROTECTED]
Visit the list archive: http://www.LAZYDBA.com/odbareadmail.pl
Tell yer mates about http://www.farAwayJobs.com
By using this list you agree to these terms:http://www.lazydba.com/legal.html
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: MacGregor, Ian A.
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
