Oracle 10g版本以及之后的版本中推出了监听的本地操作系统认证安全特性,即Local OS Authentication。
这个安全特性简言之:若监听程序是在当前用户下启动的,则当前用户具有管理监听的所有权利,其他用户对监听的管理将受到限制。注意,这里启动和管理监听的用户不一定是oracle用户。
本文将就此特性给出实际验证。
1.查看监听的安全特性
在oracle用户下查看监听状态。
ora10g@secdb /home/oracle$ lsnrctl status
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2011 22:04:03
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date 21-MAR-2011 22:51:53
Uptime 0 days 23 hr. 12 min. 9 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Log File /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
Services Summary...
Service "ora10g" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10gXDB" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10g_XPT" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora11g" has 1 instance(s).
Instance "ora11g", status READY, has 1 handler(s) for this service...
The command completed successfully
注意status命令返回的“Security ON: Local OS Authentication”信息,此条提示信息表明监听处于Local OS Authentication认证模式。
2.尝试在非oracle用户下停止监听
从oracle用户切换到操作系统secooler用户。
ora10g@secdb /home/oracle$ su - secooler
Password:
ora10g@secdb /home/secooler$ id
uid=666(secooler) gid=501(oinstall) groups=501(oinstall),502(dba),503(oper)
尝试在secooler用户下停止监听程序。
ora10g@secdb /home/secooler$ lsnrctl stop listener
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2011 22:01:58
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
TNS-01190: The user is not authorized to execute the requested listener command
可见,此时返回TNS-01190错误,此条错误便是监听的本地操作系统认证特性在起作用。因为此环境中监听是由oracle用户启动的。
3.尝试非oracle用户启动监听程序
1)在oracle用户中停掉监听程序
ora10g@secdb /home/oracle$ lsnrctl stop
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2011 22:07:16
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
The command completed successfully
2)在secooler用户中启动监听
ora10g@secdb /home/secooler$ lsnrctl
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2011 22:07:24
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> start
Starting /oracle/ora10gR2/product/10.2.0/db_2/bin/tnslsnr: please wait...
TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Log messages written to /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date 22-MAR-2011 22:08:10
Uptime 0 days 0 hr. 0 min. 0 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Log File /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
The listener supports no services
The command completed successfully
可见,监听顺利启动,稍等片刻,等待数据库实例动态注册到监听。
在secooler用户下查看监听状态
LSNRCTL> status
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date 22-MAR-2011 22:08:10
Uptime 0 days 0 hr. 0 min. 20 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Log File /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
Services Summary...
Service "ora10g" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10gXDB" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10g_XPT" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora11g" has 1 instance(s).
Instance "ora11g", status READY, has 1 handler(s) for this service...
The command completed successfully
此时,监听在secooler用户下运行正常。
可以通过ps命令再次确定监听的确是由secooler用户启动的。
ora10g@secdb /home/secooler$ ps -ef | grep -i listener | grep -v grep
secooler 5794 1 0 22:08 ? 00:00:00 /oracle/ora10gR2/product/10.2.0/db_2/bin/tnslsnr LISTENER -inherit
4.回到oracle用户尝试关闭监听
由于此时监听程序是在secooler用户下启动的,根据Local OS Authentication特性,此时oracle用户是无权关闭监听程序的。验证一下。
ora10g@secdb /home/oracle$ lsnrctl stop
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2011 22:27:36
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
TNS-01190: The user is not authorized to execute the requested listener command
结论得以证实。此时oracle用户无法停止由secooler用户启动的监听程序。
5.被限制的监听操作命令列表
本文是以关闭监听程序为例进行演示的。除了STOP操作之外被限制使用的命令如下所示。
SAVE_CONFIG, TRACE, SPAWN, RELOAD,
SET {LOG_FILE, LOG_STATUS, INBOUND_CONNECT_TIMEOUT, SAVE_CONFIG_STOP_ON, TRC_FILE, TRC_LEVEL, LOG_DIRECTORY, STARTUP_WAITTIME}
SHOW {RULES, TRC_DIRECTORY, LOG_FILE, LOG_STATUS, INBOUND_CONNECT_TIMEOUT, SNMP_VISIBLE, TRC_FILE, TRC_LEVEL, LOG_DIRECTORY, STARTUP_WAITTIME, SAVE_CONFIG_STOP_ON}
在非启动监听用户下执行上述命令均会收到TNS-01190错误。
6.小结
Oracle 10g的本地操作系统认证(Local OS Authentication)安全特性避免了监听管理过程中的混乱现象。在理解了这个特性真实意图后,监听的安全性便有了保证。
Good luck.
secooler
11.03.22
-- The End --
这个安全特性简言之:若监听程序是在当前用户下启动的,则当前用户具有管理监听的所有权利,其他用户对监听的管理将受到限制。注意,这里启动和管理监听的用户不一定是oracle用户。
本文将就此特性给出实际验证。
1.查看监听的安全特性
在oracle用户下查看监听状态。
ora10g@secdb /home/oracle$ lsnrctl status
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2011 22:04:03
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date 21-MAR-2011 22:51:53
Uptime 0 days 23 hr. 12 min. 9 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Log File /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
Services Summary...
Service "ora10g" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10gXDB" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10g_XPT" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora11g" has 1 instance(s).
Instance "ora11g", status READY, has 1 handler(s) for this service...
The command completed successfully
注意status命令返回的“Security ON: Local OS Authentication”信息,此条提示信息表明监听处于Local OS Authentication认证模式。
2.尝试在非oracle用户下停止监听
从oracle用户切换到操作系统secooler用户。
ora10g@secdb /home/oracle$ su - secooler
Password:
ora10g@secdb /home/secooler$ id
uid=666(secooler) gid=501(oinstall) groups=501(oinstall),502(dba),503(oper)
尝试在secooler用户下停止监听程序。
ora10g@secdb /home/secooler$ lsnrctl stop listener
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2011 22:01:58
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
TNS-01190: The user is not authorized to execute the requested listener command
可见,此时返回TNS-01190错误,此条错误便是监听的本地操作系统认证特性在起作用。因为此环境中监听是由oracle用户启动的。
3.尝试非oracle用户启动监听程序
1)在oracle用户中停掉监听程序
ora10g@secdb /home/oracle$ lsnrctl stop
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2011 22:07:16
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
The command completed successfully
2)在secooler用户中启动监听
ora10g@secdb /home/secooler$ lsnrctl
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2011 22:07:24
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> start
Starting /oracle/ora10gR2/product/10.2.0/db_2/bin/tnslsnr: please wait...
TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Log messages written to /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date 22-MAR-2011 22:08:10
Uptime 0 days 0 hr. 0 min. 0 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Log File /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
The listener supports no services
The command completed successfully
可见,监听顺利启动,稍等片刻,等待数据库实例动态注册到监听。
在secooler用户下查看监听状态
LSNRCTL> status
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date 22-MAR-2011 22:08:10
Uptime 0 days 0 hr. 0 min. 20 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Log File /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
Services Summary...
Service "ora10g" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10gXDB" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10g_XPT" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora11g" has 1 instance(s).
Instance "ora11g", status READY, has 1 handler(s) for this service...
The command completed successfully
此时,监听在secooler用户下运行正常。
可以通过ps命令再次确定监听的确是由secooler用户启动的。
ora10g@secdb /home/secooler$ ps -ef | grep -i listener | grep -v grep
secooler 5794 1 0 22:08 ? 00:00:00 /oracle/ora10gR2/product/10.2.0/db_2/bin/tnslsnr LISTENER -inherit
4.回到oracle用户尝试关闭监听
由于此时监听程序是在secooler用户下启动的,根据Local OS Authentication特性,此时oracle用户是无权关闭监听程序的。验证一下。
ora10g@secdb /home/oracle$ lsnrctl stop
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2011 22:27:36
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
TNS-01190: The user is not authorized to execute the requested listener command
结论得以证实。此时oracle用户无法停止由secooler用户启动的监听程序。
5.被限制的监听操作命令列表
本文是以关闭监听程序为例进行演示的。除了STOP操作之外被限制使用的命令如下所示。
SAVE_CONFIG, TRACE, SPAWN, RELOAD,
SET {LOG_FILE, LOG_STATUS, INBOUND_CONNECT_TIMEOUT, SAVE_CONFIG_STOP_ON, TRC_FILE, TRC_LEVEL, LOG_DIRECTORY, STARTUP_WAITTIME}
SHOW {RULES, TRC_DIRECTORY, LOG_FILE, LOG_STATUS, INBOUND_CONNECT_TIMEOUT, SNMP_VISIBLE, TRC_FILE, TRC_LEVEL, LOG_DIRECTORY, STARTUP_WAITTIME, SAVE_CONFIG_STOP_ON}
在非启动监听用户下执行上述命令均会收到TNS-01190错误。
6.小结
Oracle 10g的本地操作系统认证(Local OS Authentication)安全特性避免了监听管理过程中的混乱现象。在理解了这个特性真实意图后,监听的安全性便有了保证。
Good luck.
secooler
11.03.22
-- The End --
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/519536/viewspace-690203/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/519536/viewspace-690203/