ITPub博客

首页 > Linux操作系统 > Linux操作系统 > 【LISTENER】Oracle 10g监听的本地操作系统认证(Local OS Authentication)安全特性

【LISTENER】Oracle 10g监听的本地操作系统认证(Local OS Authentication)安全特性

原创 Linux操作系统 作者:secooler 时间:2011-03-22 22:59:34 0 删除 编辑
Oracle 10g版本以及之后的版本中推出了监听的本地操作系统认证安全特性,即Local OS Authentication。
这个安全特性简言之:若监听程序是在当前用户下启动的,则当前用户具有管理监听的所有权利,其他用户对监听的管理将受到限制。注意,这里启动和管理监听的用户不一定是oracle用户。
本文将就此特性给出实际验证。

1.查看监听的安全特性
在oracle用户下查看监听状态。
ora10g@secdb /home/oracle$ lsnrctl status

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2011 22:04:03

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date                21-MAR-2011 22:51:53
Uptime                    0 days 23 hr. 12 min. 9 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Log File         /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
Services Summary...
Service "ora10g" has 1 instance(s).
  Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10gXDB" has 1 instance(s).
  Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10g_XPT" has 1 instance(s).
  Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora11g" has 1 instance(s).
  Instance "ora11g", status READY, has 1 handler(s) for this service...
The command completed successfully


注意status命令返回的“Security ON: Local OS Authentication”信息,此条提示信息表明监听处于Local OS Authentication认证模式。

2.尝试在非oracle用户下停止监听
从oracle用户切换到操作系统secooler用户。
ora10g@secdb /home/oracle$ su - secooler
Password:
ora10g@secdb /home/secooler$ id
uid=666(secooler) gid=501(oinstall) groups=501(oinstall),502(dba),503(oper)

尝试在secooler用户下停止监听程序。
ora10g@secdb /home/secooler$ lsnrctl stop listener

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2011 22:01:58

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
TNS-01190: The user is not authorized to execute the requested listener command

可见,此时返回TNS-01190错误,此条错误便是监听的本地操作系统认证特性在起作用。因为此环境中监听是由oracle用户启动的。

3.尝试非oracle用户启动监听程序
1)在oracle用户中停掉监听程序
ora10g@secdb /home/oracle$ lsnrctl stop

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2011 22:07:16

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
The command completed successfully

2)在secooler用户中启动监听
ora10g@secdb /home/secooler$ lsnrctl

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2011 22:07:24

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Welcome to LSNRCTL, type "help" for information.

LSNRCTL> start
Starting /oracle/ora10gR2/product/10.2.0/db_2/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Log messages written to /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date                22-MAR-2011 22:08:10
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Log File         /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
The listener supports no services
The command completed successfully

可见,监听顺利启动,稍等片刻,等待数据库实例动态注册到监听。
在secooler用户下查看监听状态
LSNRCTL> status
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date                22-MAR-2011 22:08:10
Uptime                    0 days 0 hr. 0 min. 20 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Log File         /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
Services Summary...
Service "ora10g" has 1 instance(s).
  Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10gXDB" has 1 instance(s).
  Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10g_XPT" has 1 instance(s).
  Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora11g" has 1 instance(s).
  Instance "ora11g", status READY, has 1 handler(s) for this service...
The command completed successfully

此时,监听在secooler用户下运行正常。
可以通过ps命令再次确定监听的确是由secooler用户启动的。
ora10g@secdb /home/secooler$ ps -ef | grep -i listener | grep -v grep
secooler  5794     1  0 22:08 ?        00:00:00 /oracle/ora10gR2/product/10.2.0/db_2/bin/tnslsnr LISTENER -inherit

4.回到oracle用户尝试关闭监听
由于此时监听程序是在secooler用户下启动的,根据Local OS Authentication特性,此时oracle用户是无权关闭监听程序的。验证一下。
ora10g@secdb /home/oracle$ lsnrctl stop

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2011 22:27:36

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
TNS-01190: The user is not authorized to execute the requested listener command

结论得以证实。此时oracle用户无法停止由secooler用户启动的监听程序。

5.被限制的监听操作命令列表
本文是以关闭监听程序为例进行演示的。除了STOP操作之外被限制使用的命令如下所示。
 SAVE_CONFIG, TRACE, SPAWN, RELOAD,

 SET {LOG_FILE, LOG_STATUS, INBOUND_CONNECT_TIMEOUT, SAVE_CONFIG_STOP_ON, TRC_FILE, TRC_LEVEL, LOG_DIRECTORY, STARTUP_WAITTIME}

 SHOW {RULES, TRC_DIRECTORY, LOG_FILE, LOG_STATUS, INBOUND_CONNECT_TIMEOUT, SNMP_VISIBLE, TRC_FILE, TRC_LEVEL, LOG_DIRECTORY, STARTUP_WAITTIME, SAVE_CONFIG_STOP_ON}

在非启动监听用户下执行上述命令均会收到TNS-01190错误。

6.小结
Oracle 10g的本地操作系统认证(Local OS Authentication)安全特性避免了监听管理过程中的混乱现象。在理解了这个特性真实意图后,监听的安全性便有了保证。

Good luck.

secooler
11.03.22

-- The End --

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/519536/viewspace-690203/,如需转载,请注明出处,否则将追究法律责任。

请登录后发表评论 登录
全部评论
Oracle ACE 总监,阿里云MVP,北京大学理学硕士,恩墨学院创始人,教育专家,中国区 Cloudera 首位官方授权大数据讲师,金牌培训专家,BDA大数据联盟创始人,OCM联盟创始人,ACCUG创始人、ACOUG核心专家,Blogger。

注册时间:2008-03-16

  • 博文量
    797
  • 访问量
    8189271