I got an interesting post on my Oracle security forum yesterday from Ron who said he was having difficulty finding any information on how to install Apache with the Oracle database as a differnet user than the owner of the Oracle database software. The reason for doing so is for security reasons that if apache runs as a lower privileged user then even if it is exploited then the hacker does not gain access to the rest of the Oracle installation.
I have done this before and have written about it but could not lay my hands on where. I know that someone has told me that they had installed the oracle software doing a custom install and not choosing the httpd install then then restarted the OUI as a differnt user and simply just installed apache from the Oracle CD and it worked fine. I have not tested this method myself, maybe I will!. The way I did it was by creating a seperare apache user and group and, well doing what Roger Shrag describes in his paper http://www.dbspecialists.com/presentations/oracle920solaris.html - (broken link) Installing and Configuring Oracle9i on the Solaris Platform. This is a excellent paper. He tells how to create an apache user, how to install Oracle, then stop apache, change the ownership of the files and then restart apache as the new user.
Great paper and well worth reading.
Blog
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
[Previous entry: "The possible complexity level of Oracle database passwords is in question"] [Next entry: "Another way to monitor the listener log for brute force attacks"]
December 2005
- Pete Finnigan is back after a week away from blogging! - 12/03/2005 by 12/03/2005
- A sample package to manipulate LDAP - 12/04/2005 by 12/04/2005
- Oracle security checklist - 12/05/2005 by 12/05/2005
- Bugs - 12/06/2005 by 12/06/2005
- I am presenting at the DBMS SIG in Melton Mowbray about Oracle security - 12/07/2005 by 12/07/2005
- DBMS SIG conference today - A security focus - 12/08/2005 by 12/08/2005
- Good overview of SOA security - 12/09/2005 by 12/09/2005
- Arup's new book and some networking - 12/10/2005 by 12/10/2005
- A useful perl script to check for listener password brute force attempts - 12/11/2005 by 12/11/2005
- Integration Promises Still Haunting Oracle - 12/14/2005 by 12/14/2005
- The possible complexity level of Oracle database passwords is in question - 12/15/2005 by 12/15/2005
- Another way to monitor the listener log for brute force attacks - 12/16/2005 by 12/16/2005
- A new book "Cryptography in the Database: The Last Line of Defense" - 12/17/2005 by 12/17/2005
- Some more thoughts on the weakness of Oracle database passwords - 12/20/2005 by 12/20/2005
- Mary Ann Davidson announces that Fortify software will be used to find security holes in Oracle software - 12/21/2005 by 12/21/2005
- standalone discoverer clients now sso compliant for E-Business Suite users - 12/22/2005 by 12/22/2005
- A very happy christmas to everyone - 12/24/2005 by 12/24/2005
- State of the nation: referral spam, comments, content management, dedicated hosting and more - 12/29/2005 by 12/29/2005
- Spammers again... - 12/30/2005 by 12/30/2005
- More detailed analysis of the new Oracle worm - 12/31/2005 by 12/31/2005
Archives
Syndication
Powered by gm-rss 2.0.0
