Specifying the Listener Configuration
It is the Oracle Net communications layer that provides the conduit between PL/SQL and the shared libraries. Although default installations of Oracle8i and later generally provide some support for external procedures, you probably don't want to use the out-of-the-box configuration until Oracle has made some significantsecurity enhancements.
At the time of this writing, Oracle is still suffering a bit of a black eye from a security vulnerability arising from the external procedures feature. Specifically, a remote attacker could connect via the Oracle Net TCP/IP port (usually 1521) and run extproc with no authentication. So one of the things you could do to enhance your security would be:
|
Getting the listener set up properly involves modifying the tnsnames.ora and the listener.ora files (either by hand or by using the Oracle Net Manager front end). Here, for example, is a simple listener.ora file that sets up an external procedure listener that is separate from the database listener:
LISTENER = (ADDRESS = (PROTOCOL = TCP)(HOST = hostname)(PORT = 1521)) EXTPROC_LISTENER = (ADDRESS = (PROTOCOL = IPC)(KEY = extprocKey)) SID_LIST_LISTENER = (SID_DESC = (GLOBAL_DBNAME = global_name) (ORACLE_HOME = oracle_home_directory) (SID_NAME = SID) ) SID_LIST_EXTPROC_LISTENER = (SID_DESC = (SID_NAME = extprocSID) (ORACLE_HOME = oracle_home_directory) (ENVS="EXTPROC_DLLS=ONLY:shared_object_file_list") (PROGRAM = extproc) )where:
extprocKey
A short identifier used by Oracle Net to distinguish this listener from other potential IPC listeners. Its actual name is arbitrary, because your programs will never see it. Oracle uses EXTPROC0 as the default name for the first Oracle Net installation on a given machine. This identifier must be the same in the address list of listener.ora and in the tnsnames.ora file.
hostname
The name or IP address of this machine. This parameter does not apply to external procedures that listen only via interprocess communication (IPC).
oracle_home_directory
The full pathname to your ORACLE_HOME directory, such as /u01/app/oracle/product/9.2 on Unix or C:\ORACLE\ora92 on Microsoft Windows. Notice that there are no quotation marks around the directory name, and no trailing slash.
extprocSID
An arbitrary unique identifier for the external procedure listener. In the default installation, Oracle uses the value PLSExtProc.
ENVS="EXTPROC_DLLS=ONLY:shared_object_file_list"
(Oracle9i Release 2) The ENVS clause sets upenvironment variables for the listener. This example sets the EXTPROC_DLLS environment variable to the setting that provides maximum security—as specified by the keyword ONLY—to allow execution of only those shared libraries given by the colon-delimited list.
Here is an example from mySolaris machine of what this might look like:
(ENVS="EXTPROC_DLLS=ONLY:/u01/app/oracle/admin/local/lib/extprocsh.so:/u01/app/oracle/admin/local/lib/RawdataToPrinter.so")And here is the entry on my laptop machine, which runs Windows XP:
Strangely, the colon not only functions as the path delimiter, but also sets apart the normal DOS drive letter. Also note that although I've shown only two library files, you can include as many as you like.
If you're running Oracle9i Release 2 and you omit this value, Oracle only allows you to run those shared library files in one particular Oracle subdirectory: bin under Windows, and lib under Unix. There are additional ways that you can set this value; you can omit the ONLY keyword but still use delimited library files. In this case, both the default directories and the library files are available.
Or, you can throw caution to the wind and use the ANY keyword, which lets you use any shared library that is visible to the operating system user running the external procedure listener.
global_name
Fully qualified database name. This entry does not apply to external procedures.