Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "The possible complexity level of Oracle database passwords is in question"] [Next entry: "Another way to monitor the listener log for brute force attacks"]

securing apache with Oracle



I got an interesting post on my Oracle security forum yesterday from Ron who said he was having difficulty finding any information on how to install Apache with the Oracle database as a differnet user than the owner of the Oracle database software. The reason for doing so is for security reasons that if apache runs as a lower privileged user then even if it is exploited then the hacker does not gain access to the rest of the Oracle installation.

I have done this before and have written about it but could not lay my hands on where. I know that someone has told me that they had installed the oracle software doing a custom install and not choosing the httpd install then then restarted the OUI as a differnt user and simply just installed apache from the Oracle CD and it worked fine. I have not tested this method myself, maybe I will!. The way I did it was by creating a seperare apache user and group and, well doing what Roger Shrag describes in his paper http://www.dbspecialists.com/presentations/oracle920solaris.html - (broken link) Installing and Configuring Oracle9i on the Solaris Platform. This is a excellent paper. He tells how to create an apache user, how to install Oracle, then stop apache, change the ownership of the files and then restart apache as the new user.

Great paper and well worth reading.