【LISTENER】Oracle 10g監聽的本地作業系統認證(Local OS Authentication)安全特性

secooler發表於2011-03-22
Oracle 10g作業系統
Oracle 10g版本以及之後的版本中推出了監聽的本地作業系統認證安全特性,即Local OS Authentication。
這個安全特性簡言之:若監聽程式是在當前使用者下啟動的,則當前使用者具有管理監聽的所有權利,其他使用者對監聽的管理將受到限制。注意,這裡啟動和管理監聽的使用者不一定是oracle使用者。
本文將就此特性給出實際驗證。

1.檢視監聽的安全特性
在oracle使用者下檢視監聽狀態。
ora10g@secdb /home/oracle$ lsnrctl status

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2011 22:04:03

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date                21-MAR-2011 22:51:53
Uptime                    0 days 23 hr. 12 min. 9 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Log File         /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
Services Summary...
Service "ora10g" has 1 instance(s).
  Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10gXDB" has 1 instance(s).
  Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10g_XPT" has 1 instance(s).
  Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora11g" has 1 instance(s).
  Instance "ora11g", status READY, has 1 handler(s) for this service...
The command completed successfully

注意status命令返回的“Security ON: Local OS Authentication”資訊,此條提示資訊表明監聽處於Local OS Authentication認證模式。

2.嘗試在非oracle使用者下停止監聽
從oracle使用者切換到作業系統secooler使用者。
ora10g@secdb /home/oracle$ su - secooler
Password:
ora10g@secdb /home/secooler$ id
uid=666(secooler) gid=501(oinstall) groups=501(oinstall),502(dba),503(oper)

嘗試在secooler使用者下停止監聽程式。
ora10g@secdb /home/secooler$ lsnrctl stop listener

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2011 22:01:58

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
TNS-01190: The user is not authorized to execute the requested listener command

可見,此時返回TNS-01190錯誤,此條錯誤便是監聽的本地作業系統認證特性在起作用。因為此環境中監聽是由oracle使用者啟動的。

3.嘗試非oracle使用者啟動監聽程式
1)在oracle使用者中停掉監聽程式
ora10g@secdb /home/oracle$ lsnrctl stop

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2011 22:07:16

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
The command completed successfully

2)在secooler使用者中啟動監聽
ora10g@secdb /home/secooler$ lsnrctl

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2011 22:07:24

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Welcome to LSNRCTL, type "help" for information.

LSNRCTL> start
Starting /oracle/ora10gR2/product/10.2.0/db_2/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Log messages written to /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date                22-MAR-2011 22:08:10
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Log File         /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
The listener supports no services
The command completed successfully

可見,監聽順利啟動,稍等片刻,等待資料庫例項動態註冊到監聽。
在secooler使用者下檢視監聽狀態
LSNRCTL> status
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date                22-MAR-2011 22:08:10
Uptime                    0 days 0 hr. 0 min. 20 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Log File         /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
Services Summary...
Service "ora10g" has 1 instance(s).
  Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10gXDB" has 1 instance(s).
  Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10g_XPT" has 1 instance(s).
  Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora11g" has 1 instance(s).
  Instance "ora11g", status READY, has 1 handler(s) for this service...
The command completed successfully

此時,監聽在secooler使用者下執行正常。
可以透過ps命令再次確定監聽的確是由secooler使用者啟動的。
ora10g@secdb /home/secooler$ ps -ef | grep -i listener | grep -v grep
secooler  5794     1  0 22:08 ?        00:00:00 /oracle/ora10gR2/product/10.2.0/db_2/bin/tnslsnr LISTENER -inherit

4.回到oracle使用者嘗試關閉監聽
由於此時監聽程式是在secooler使用者下啟動的,根據Local OS Authentication特性,此時oracle使用者是無權關閉監聽程式的。驗證一下。
ora10g@secdb /home/oracle$ lsnrctl stop

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2011 22:27:36

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
TNS-01190: The user is not authorized to execute the requested listener command

結論得以證實。此時oracle使用者無法停止由secooler使用者啟動的監聽程式。

5.被限制的監聽操作命令列表
本文是以關閉監聽程式為例進行演示的。除了STOP操作之外被限制使用的命令如下所示。
 SAVE_CONFIG, TRACE, SPAWN, RELOAD,

 SET {LOG_FILE, LOG_STATUS, INBOUND_CONNECT_TIMEOUT, SAVE_CONFIG_STOP_ON, TRC_FILE, TRC_LEVEL, LOG_DIRECTORY, STARTUP_WAITTIME}

 SHOW {RULES, TRC_DIRECTORY, LOG_FILE, LOG_STATUS, INBOUND_CONNECT_TIMEOUT, SNMP_VISIBLE, TRC_FILE, TRC_LEVEL, LOG_DIRECTORY, STARTUP_WAITTIME, SAVE_CONFIG_STOP_ON}

在非啟動監聽使用者下執行上述命令均會收到TNS-01190錯誤。

6.小結
Oracle 10g的本地作業系統認證(Local OS Authentication)安全特性避免了監聽管理過程中的混亂現象。在理解了這個特性真實意圖後,監聽的安全性便有了保證。

Good luck.

secooler
11.03.22

-- The End --

來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/519536/viewspace-690203/,如需轉載,請註明出處,否則將追究法律責任。

相關文章