首先声明:本文原创secooler,本人在此基础上完善了“非监听启动用户对监听stop->start重新启动”部分
在文章《【LISTENER】Oracle 10g监听的本地操作系统认证(Local OS Authentication)安全特性》(http://space.itpub.net/519536/viewspace-690203)提到,Oracle 10g及以后版本使用Local OS Authentication方式确保监听程序的安全性。这就使得除启动监听的用户具有管理监听的权利外,其他用户无法完成对监听的管理。如何打破这个限制?我们可以通过引入密码管理模式来打破这个限制。
1.使用oracle用户启动监听
确保此处的监听程序是由oracle用户启动的,因此在oracle用户下具有为监听设置密码的权限。
ora10g@secdb /home/oracle$ lsnrctl start
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 23-MAR-2011 22:00:33
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Starting /oracle/ora10gR2/product/10.2.0/db_2/bin/tnslsnr: please wait...
TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Log messages written to /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date 23-MAR-2011 22:00:33
Uptime 0 days 0 hr. 0 min. 0 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Log File /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
The listener supports no services
The command completed successfully
稍等片刻,确保数据库实例动态注册成功。
ora10g@secdb /home/oracle$ lsnrctl status
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 23-MAR-2011 22:02:12
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date 23-MAR-2011 22:00:33
Uptime 0 days 0 hr. 1 min. 39 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Log File /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
Services Summary...
Service "ora10g" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10gXDB" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10g_XPT" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora11g" has 1 instance(s).
Instance "ora11g", status READY, has 1 handler(s) for this service...
The command completed successfully
2.在oracle用户下设置密码
LSNRCTL> set current_listener listener
Current Listener is listener
LSNRCTL> change_password
Old password: --注释:由于之前未设置密码,这里直接回车
New password: --注释:我这里设置的密码为“oracle”
Reenter new password: --注释:重新键入监听密码“oracle”
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=secdb)(PORT=1521)))
Password changed for listener
The command completed successfully
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=secdb)(PORT=1521)))
Saved LISTENER configuration parameters.
Listener Parameter File /oracle/ora10gR2/product/10.2.0/db_2/network/admin/listener.ora
Old Parameter File /oracle/ora10gR2/product/10.2.0/db_2/network/admin/listener.bak
The command completed successfully
密码设置完成之后可以在listener.ora文件中查看到密码设置信息。
ora10g@secdb /home/oracle$ vi $ORACLE_HOME/network/admin/listener.ora
# listener.ora Network Configuration File: /oracle/ora10gR2/product/10.2.0/db_2/network/admin/listener.ora
# Generated by Oracle configuration tools.
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = PLSExtProc)
(ORACLE_HOME = /oracle/ora10gR2/product/10.2.0/db_2)
(PROGRAM = extproc)
)
)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = secdb)(PORT = 1521))
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC0))
)
)
#----ADDED BY TNSLSNR 23-MAR-2011 22:19:28---
PASSWORDS_LISTENER = 1DF5C2FD0FE9CFA2
#--------------------------------------------
注意最后三行内容,此处即为密码设置的时间及密码信息。
3.查看设置密码后的监听状态
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=secdb)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date 23-MAR-2011 22:15:54
Uptime 0 days 0 hr. 3 min. 46 sec
Trace Level off
Security ON: Password or Local OS Authentication
SNMP OFF
Listener Parameter File /oracle/ora10gR2/product/10.2.0/db_2/network/admin/listener.ora
Listener Log File /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC0)))
Services Summary...
Service "PLSExtProc" has 1 instance(s).
Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "ora10g" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10gXDB" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10g_XPT" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora11g" has 1 instance(s).
Instance "ora11g", status READY, has 1 handler(s) for this service...
The command completed successfully
注意,此时监听状态中的Security内容已经由原来的“ON: Local OS Authentication”变为现在的“ON: Password or Local OS Authentication”,表明监听已经处于密码管理模式。
4.尝试使用非oracle用户管理监听
我这里使用操作系统leonarding用户尝试关闭监听,以便证实非oracle用户对监听具有管理能力。
0)添加leonarding用户
直接修改用户配置文件/etc/passwd,添加一行leonarding:x:505:501::/home/leonarding:/bin/bash
uid=505 gid=501 home=/home/leonarding shell=/bin/bash
也可以使用root用户,创建一个用户:useradd leonarding -g dba -G oinstall -d /home/leonarding
默认使用Bshell 即/bin/bash
1)切换到leonarding用户
[oracle@secdb1 ~]$ su - leonarding
Password:
[leonarding@secdb1 ~]$
2)在leonarding用户下查看监听状态
[leonarding@secdb1 ~]$ lsnrctl
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2012 19:32:15
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb1)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date 22-MAR-2012 19:32:38
Uptime 0 days 0 hr. 0 min. 6 sec
Trace Level off
Security ON: Password or Local OS Authentication
SNMP OFF
Listener Parameter File /u01/app/oracle/product/10.2.0/db_1/network/admin/listener.ora
Listener Log File /u01/app/oracle/product/10.2.0/db_1/network/log/listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb1.localdomain)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=extproc)))
Services Summary...
Service "PROD" has 1 instance(s).
Instance "PROD", status UNKNOWN, has 1 handler(s) for this service...
Service "plsextproc" has 1 instance(s).
Instance "plsextproc", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully
3)提供密码
为实现对监听的管理,这里需要明确的给出监听的密码。
LSNRCTL> set password oracle
The command completed successfully
4)尝试停掉监听
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=secdb1)(PORT=1521)))
The command completed successfully
监听程序已经在leonarding用户下顺利地停止。
5)用户leonarding尝试启动监听
LSNRCTL> start
Starting /u01/app/oracle/product/10.2.0/db_1/bin/tnslsnr: please wait...
TNSLSNR for Linux: Version 10.2.0.1.0 - Production
System parameter file is /u01/app/oracle/product/10.2.0/db_1/network/admin/listener.ora
Log messages written to /u01/app/oracle/product/10.2.0/db_1/network/log/listener.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb1.localdomain)(PORT=1521)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=extproc)))
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb1)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date 22-MAR-2012 19:37:25
Uptime 0 days 0 hr. 0 min. 0 sec
Trace Level off
Security ON: Password or Local OS Authentication
SNMP OFF
Listener Parameter File /u01/app/oracle/product/10.2.0/db_1/network/admin/listener.ora
Listener Log File /u01/app/oracle/product/10.2.0/db_1/network/log/listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb1.localdomain)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=extproc)))
Services Summary...
Service "PROD" has 1 instance(s).
Instance "PROD", status UNKNOWN, has 1 handler(s) for this service...
Service "plsextproc" has 1 instance(s).
Instance "plsextproc", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully
注:在用leonarding用户启动监听的时候,一定要设置2个文件权限为RW,才能正常启动
Listener Parameter File /u01/app/oracle/product/10.2.0/db_1/network/admin/listener.ora
Listener Log File /u01/app/oracle/product/10.2.0/db_1/network/log/listener.log
5.小结
本文给出了通过密码管理方式实现了非监听启动用户对监听管理的目的。
这是对于Oracle 10g及以后的版本的监听程序管理的一种手段。善用之。
Good luck.
secooler
11.03.23
leonarding
12.03.22 完善
-- The End --
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/26686207/viewspace-719313/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/26686207/viewspace-719313/