在文章《【LISTENER】Oracle 10g监听的本地操作系统认证(Local OS Authentication)安全特性》(http://space.itpub.net/519536/viewspace-690203)提到,Oracle 10g及以后版本使用Local OS Authentication方式确保监听程序的安全性。这就使得除启动监听的用户具有管理监听的权利外,其他用户无法完成对监听的管理。如何打破这个限制?我们可以通过引入密码管理模式来打破这个限制。
1.使用oracle用户启动监听
确保此处的监听程序是由oracle用户启动的,因此在oracle用户下具有为监听设置密码的权限。
ora10g@secdb /home/oracle$ lsnrctl start
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 23-MAR-2011 22:00:33
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Starting /oracle/ora10gR2/product/10.2.0/db_2/bin/tnslsnr: please wait...
TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Log messages written to /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date 23-MAR-2011 22:00:33
Uptime 0 days 0 hr. 0 min. 0 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Log File /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
The listener supports no services
The command completed successfully
稍等片刻,确保数据库实例动态注册成功。
ora10g@secdb /home/oracle$ lsnrctl status
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 23-MAR-2011 22:02:12
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date 23-MAR-2011 22:00:33
Uptime 0 days 0 hr. 1 min. 39 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Log File /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
Services Summary...
Service "ora10g" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10gXDB" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10g_XPT" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora11g" has 1 instance(s).
Instance "ora11g", status READY, has 1 handler(s) for this service...
The command completed successfully
2.在oracle用户下设置密码
LSNRCTL> set current_listener listener
Current Listener is listener
LSNRCTL> change_password
Old password: --注释:由于之前未设置密码,这里直接回车
New password: --注释:我这里设置的密码为“oracle”
Reenter new password: --注释:重新键入监听密码“oracle”
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=secdb)(PORT=1521)))
Password changed for listener
The command completed successfully
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=secdb)(PORT=1521)))
Saved LISTENER configuration parameters.
Listener Parameter File /oracle/ora10gR2/product/10.2.0/db_2/network/admin/listener.ora
Old Parameter File /oracle/ora10gR2/product/10.2.0/db_2/network/admin/listener.bak
The command completed successfully
密码设置完成之后可以在listener.ora文件中查看到密码设置信息。
ora10g@secdb /home/oracle$ vi $ORACLE_HOME/network/admin/listener.ora
# listener.ora Network Configuration File: /oracle/ora10gR2/product/10.2.0/db_2/network/admin/listener.ora
# Generated by Oracle configuration tools.
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = PLSExtProc)
(ORACLE_HOME = /oracle/ora10gR2/product/10.2.0/db_2)
(PROGRAM = extproc)
)
)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = secdb)(PORT = 1521))
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC0))
)
)
#----ADDED BY TNSLSNR 23-MAR-2011 22:19:28---
PASSWORDS_LISTENER = 1DF5C2FD0FE9CFA2
#--------------------------------------------
注意后三行内容,此处即为密码设置的时间及密码信息。
3.查看设置密码后的监听状态
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=secdb)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date 23-MAR-2011 22:15:54
Uptime 0 days 0 hr. 3 min. 46 sec
Trace Level off
Security ON: Password or Local OS Authentication
SNMP OFF
Listener Parameter File /oracle/ora10gR2/product/10.2.0/db_2/network/admin/listener.ora
Listener Log File /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC0)))
Services Summary...
Service "PLSExtProc" has 1 instance(s).
Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "ora10g" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10gXDB" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10g_XPT" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora11g" has 1 instance(s).
Instance "ora11g", status READY, has 1 handler(s) for this service...
The command completed successfully
注意,此时监听状态中的Security内容已经由原来的“ON: Local OS Authentication”变为现在的“ON: Password or Local OS Authentication”,表明监听已经处于密码管理模式。
4.尝试使用非oracle用户管理监听
我这里使用操作系统secooler用户尝试关闭监听,以便证实非oracle用户对监听具有管理能力。
1)切换到secooler用户
ora10g@secdb /home/oracle$ su - secooler
Password:
2)在secooler用户下查看监听状态
ora10g@secdb /home/secooler$ lsnrctl
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 23-MAR-2011 23:10:13
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=secdb)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date 23-MAR-2011 22:15:54
Uptime 0 days 0 hr. 54 min. 21 sec
Trace Level off
Security ON: Password or Local OS Authentication
SNMP OFF
Listener Parameter File /oracle/ora10gR2/product/10.2.0/db_2/network/admin/listener.ora
Listener Log File /oracle/ora10gR2/product/10.2.0/db_2/network/log/listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=secdb)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC0)))
Services Summary...
Service "PLSExtProc" has 1 instance(s).
Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "ora10g" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10gXDB" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora10g_XPT" has 1 instance(s).
Instance "ora10g", status READY, has 1 handler(s) for this service...
Service "ora11g" has 1 instance(s).
Instance "ora11g", status READY, has 1 handler(s) for this service...
The command completed successfully
3)提供密码
为实现对监听的管理,这里需要明确的给出监听的密码。
LSNRCTL> set password oracle
The command completed successfully
4)尝试停掉监听
LSNRCTL> stop
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=secdb)(PORT=1521)))
The command completed successfully
监听程序已经在secooler用户下顺利地停止。
5.小结
本文给出了通过密码管理方式实现了非监听启动用户对监听管理的目的。
这是对于Oracle 10g及以后的版本的监听程序管理的一种手段。善用之。
Good luck.
secooler
11.03.23
-- The End --
【LISTENER】通过密码验证使非oracle用户具有管理监听的能力
分享好友
分享这个小栈给你的朋友们,一起进步吧。
订阅须知
• 所有用户可根据关注领域订阅专区或所有专区
• 付费订阅:虚拟交易,一经交易不退款;若特殊情况,可3日内客服咨询
• 专区发布评论属默认订阅所评论专区(除付费小栈外)