Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Welcome, Guest. Please Login.
Oct 17th, 2018, 10:29am
News: If you would like to register contact the forum admin
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   password for listener still needed?
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: password for listener still needed?  (Read 7149 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
password for listener still needed?
« on: Sep 22nd, 2005, 3:07pm »
Quote | Modify

Hi,
 
In 10g the listener is by default protected:
lsnrctl status
....
Security   ON: Local OS Authentication
...
 
This means that only oracle (and maybe other in the dba/oinstall group?) can stop/start the listener. In older oracle releases (7,8, and 9i) I allways use a password to protect the listener and so I did for my new 10gr2 installation and when I ask for the status of the listener I get:
...
Security   ON: Password or Local OS Authentication
...
 
But now I'm wondering if it is a good idea. If some other ordinary user  gets to know my listener password he/she can stop it by doing a 'set password' first. So my preliminary conclusion is that a listener without a password is safer! Is this true or am I missing something?
 
regards,
 
Ivan
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: password for listener still needed?
« Reply #1 on: Sep 22nd, 2005, 6:19pm »
Quote | Modify

Ivan
 
your assumption is correct. A 10g listener with password is less secure then a listener without password protection.
 
Setting a password in 10g allows every user with the listener password to administer the listener, see also
 
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_d atabase_id=NOT&p_id=260986.1
 
 
Regards
 
 Alexander
 
------
 
 
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board