【轉】【完善】【LISTENER】通過密碼驗證使非oracle使用者具有管理監聽的能力

首先宣告：本文原創secooler，本人在此基礎上完善了“非監聽啟動使用者對監聽stop->start重新啟動”部分

在文章《【LISTENER】Oracle 10g監聽的本地作業系統認證（Local OS Authentication）安全特性》（http://space.itpub.net/519536/viewspace-690203）提到，Oracle 10g及以後版本使用Local OS Authentication方式確保監聽程式的安全性。這就使得除啟動監聽的使用者具有管理監聽的權利外，其他使用者無法完成對監聽的管理。如何打破這個限制？我們可以通過引入密碼管理模式來打破這個限制。

1.使用oracle使用者啟動監聽
確保此處的監聽程式是由oracle使用者啟動的，因此在oracle使用者下具有為監聽設定密碼的許可權。
ora10g@secdb /home/oracle$ lsnrctl start

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 23-MAR-2011 22:00:33

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Starting /oracle/ora10gR2/product/10.2.0/db_2/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Log messages written to /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date                23-MAR-2011 22:00:33
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Log File         /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
The listener supports no services
The command completed successfully

稍等片刻，確保資料庫例項動態註冊成功。

ora10g@secdb /home/oracle$ lsnrctl status

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 23-MAR-2011 22:02:12

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date                23-MAR-2011 22:00:33
Uptime                    0 days 0 hr. 1 min. 39 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Log File         /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
Services Summary...
Service "ora10g" has 1 instance(s).
  Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10gXDB" has 1 instance(s).
  Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10g_XPT" has 1 instance(s).
  Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora11g" has 1 instance(s).
  Instance "ora11g", status READY, has 1 handler(s) for this service...
The command completed successfully

2.在oracle使用者下設定密碼
LSNRCTL> set current_listener listener
Current Listener is listener
LSNRCTL> change_password
Old password:            --註釋：由於之前未設定密碼，這裡直接回車
New password:            --註釋：我這裡設定的密碼為“oracle”
Reenter new password:    --註釋：重新鍵入監聽密碼“oracle”
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=secdb)(PORT=1521)))
Password changed for listener
The command completed successfully
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=secdb)(PORT=1521)))
Saved LISTENER configuration parameters.
Listener Parameter File   /oracle/ora10gR2/product/10.2.0/db_2/network/admin/listener.ora
Old Parameter File   /oracle/ora10gR2/product/10.2.0/db_2/network/admin/listener.bak
The command completed successfully

密碼設定完成之後可以在listener.ora檔案中檢視到密碼設定資訊。
ora10g@secdb /home/oracle$ vi $ORACLE_HOME/network/admin/listener.ora
# listener.ora Network Configuration File: /oracle/ora10gR2/product/10.2.0/db_2/network/admin/listener.ora
# Generated by Oracle configuration tools.

SID_LIST_LISTENER =
  (SID_LIST =
    (SID_DESC =
      (SID_NAME = PLSExtProc)
      (ORACLE_HOME = /oracle/ora10gR2/product/10.2.0/db_2)
      (PROGRAM = extproc)
    )
  )

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = secdb)(PORT = 1521))
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC0))
    )
  )


#----ADDED BY TNSLSNR 23-MAR-2011 22:19:28---
PASSWORDS_LISTENER = 1DF5C2FD0FE9CFA2
#--------------------------------------------

注意最後三行內容，此處即為密碼設定的時間及密碼資訊。

3.檢視設定密碼後的監聽狀態
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=secdb)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date                23-MAR-2011 22:15:54
Uptime                    0 days 0 hr. 3 min. 46 sec
Trace Level               off
Security                  ON: Password or Local OS Authentication
SNMP                      OFF
Listener Parameter File   /oracle/ora10gR2/product/10.2.0/db_2/network/admin/listener.ora
Listener Log File         /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC0)))
Services Summary...
Service "PLSExtProc" has 1 instance(s).
  Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "ora10g" has 1 instance(s).
  Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10gXDB" has 1 instance(s).
  Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10g_XPT" has 1 instance(s).
  Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora11g" has 1 instance(s).
  Instance "ora11g", status READY, has 1 handler(s) for this service...
The command completed successfully

注意，此時監聽狀態中的Security內容已經由原來的“ON: Local OS Authentication”變為現在的“ON: Password or Local OS Authentication”，表明監聽已經處於密碼管理模式。

4.嘗試使用非oracle使用者管理監聽
我這裡使用作業系統leonarding使用者嘗試關閉監聽，以便證實非oracle使用者對監聽具有管理能力。

0）新增leonarding使用者

直接修改使用者配置檔案/etc/passwd，新增一行leonarding:x:505:501::/home/leonarding:/bin/bash

uid=505  gid=501 home=/home/leonarding  shell=/bin/bash

也可以使用root使用者，建立一個使用者：useradd leonarding -g dba -G oinstall -d /home/leonarding

預設使用Bshell 即/bin/bash
1）切換到leonarding使用者
[oracle@secdb1 ~]$ su - leonarding
Password:
[leonarding@secdb1 ~]$

2）在leonarding使用者下檢視監聽狀態
[leonarding@secdb1 ~]$ lsnrctl

LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 22-MAR-2012 19:32:15

Copyright (c) 1991, 2005, Oracle.  All rights reserved.

Welcome to LSNRCTL, type "help" for information.

LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb1)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date                22-MAR-2012 19:32:38
Uptime                    0 days 0 hr. 0 min. 6 sec
Trace Level               off
Security                  ON: Password or Local OS Authentication
SNMP                      OFF
Listener Parameter File   /u01/app/oracle/product/10.2.0/db_1/network/admin/listener.ora
Listener Log File         /u01/app/oracle/product/10.2.0/db_1/network/log/listener.log
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb1.localdomain)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=extproc)))
Services Summary...
Service "PROD" has 1 instance(s).
  Instance "PROD", status UNKNOWN, has 1 handler(s) for this service...
Service "plsextproc" has 1 instance(s).
  Instance "plsextproc", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully
3）提供密碼
為實現對監聽的管理，這裡需要明確的給出監聽的密碼。
LSNRCTL> set password oracle
The command completed successfully

4）嘗試停掉監聽
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=secdb1)(PORT=1521)))
The command completed successfully

監聽程式已經在leonarding使用者下順利地停止。

5）使用者leonarding嘗試啟動監聽
LSNRCTL> start
Starting /u01/app/oracle/product/10.2.0/db_1/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 10.2.0.1.0 - Production
System parameter file is /u01/app/oracle/product/10.2.0/db_1/network/admin/listener.ora
Log messages written to /u01/app/oracle/product/10.2.0/db_1/network/log/listener.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb1.localdomain)(PORT=1521)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=extproc)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb1)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date                22-MAR-2012 19:37:25
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Password or Local OS Authentication
SNMP                      OFF
Listener Parameter File   /u01/app/oracle/product/10.2.0/db_1/network/admin/listener.ora
Listener Log File         /u01/app/oracle/product/10.2.0/db_1/network/log/listener.log
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb1.localdomain)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=extproc)))
Services Summary...
Service "PROD" has 1 instance(s).
  Instance "PROD", status UNKNOWN, has 1 handler(s) for this service...
Service "plsextproc" has 1 instance(s).
  Instance "plsextproc", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully
注：在用leonarding使用者啟動監聽的時候，一定要設定2個檔案許可權為RW，才能正常啟動

Listener Parameter File   /u01/app/oracle/product/10.2.0/db_1/network/admin/listener.ora
Listener Log File         /u01/app/oracle/product/10.2.0/db_1/network/log/listener.log

5.小結
本文給出了通過密碼管理方式實現了非監聽啟動使用者對監聽管理的目的。
這是對於Oracle 10g及以後的版本的監聽程式管理的一種手段。善用之。

Good luck.

secooler
11.03.23
leonarding

12.03.22  完善
-- The End --

來自 “ ITPUB部落格 ” ，連結：http://blog.itpub.net/26686207/viewspace-719313/，如需轉載，請註明出處，否則將追究法律責任。