Solved

What does this setting do? Admin_Restrictions_listenerName=ON

Posted on 2008-06-23
3
2,229 Views
Last Modified: 2013-12-18
Hi,

        What does the following setting do specifically?
Admin_Restrictions_listenerName=ON

The setting is supposed to be set in the listener.ora file. Where in the file would you set this?

Thank You, Missy Madi
0
Comment
Question by:missymadi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 74

Expert Comment

by:sdstuber
ID: 21847338
you can put that anywhere in the listener file.

So, if your listener is called "LISTENER"  then


admin_restrictions_listener = ON

will turn it on

From the 10g Net Services Reference....


ADMIN_RESTRICTIONS_listener_name
Purpose
Use the parameter ADMIN_RESTRICTIONS_listener_name to restrict runtime
administration of the listener. The parameter is useful if the listener is not
password-protected.

Setting ADMIN_RESTRICTIONS_listener_name=on disables the runtime
modification of parameters in listener.ora. That is, the listener will refuse to
accept SET commands that alter its parameters. To change any of the parameters in
listener.ora, including ADMIN_RESTRICTIONS_listener_name itself, modify
the listener.ora file manually and reload its parameters (with the RELOAD
command) for the new changes to take effect without explicitly stopping and
restarting the listener.

Oracle Corporation recommends establishing a password to secure the listener. To
establish an encrypted password, use either the Listener Control utility CHANGE_PASSWORD command or Oracle Net Manager.


0
 
LVL 48

Accepted Solution

by:
schwertner earned 50 total points
ID: 21847425
> RISK LEVEL: High

> CHECK NAME: ADMIN_RESTRICTIONS flag not set

> DESCRIPTION: The ADMIN_RESTRICTIONS flag has not been set.

> VERSION: Oracle8i and later

> CVE REFERENCE: CVE-2000-0818

> SUMMARY: If a password is not set on the listener service, an attack can read and write files on the operating system. To alleviate this issue, Oracle added a new parameter called ADMIN_RESTRICTIONS. The ADMIN_RESTRICTIONS flag disables the ability of the listener controller to set parameters, thereby not allowing remote users to set parameters. After setting this parameter, you must edit the listener parameters directly in the listener.ora file.

> OVERVIEW: If the listener password has not been set properly, an attacker can set any of the listener parameters. With this ability, an attacker could change the location or name of the trace or log file to create new files or append data to existing files. Once the log or trace file is changed, packets can be generated and sent to the listener which in turn will write them to the trace and log files.



This attack can be mounted by any remote users that can send packets to the IP address and port of the listener. It can not be mounted by an attacker outside your organization if a firewall is properly protecting the database.



This type of attack results in the following possible issues:

- corrupting files such as the database files

- creating files such as .rhost files allowing access directly to the operating system



For instance, a packet with a connect string formatted as below would write a `+ +` on a single line, enough to allow an attacker to rlogin to the operating system.



(CONNECT_DATA=((

+ +



To alleviate this issue, Oracle released a patch which added a flag to the listener.ora file. The new parameter, ADMIN_RESTRICTIONS_[listener_name], can be set in the listener.ora, the control file for the Oracle listener program. Replace the [listener_name] within the parameter name with the listener name for the specific listener the patch is being applied to. Setting ADMIN_RESTRICTIONS_[listener_name]=ON stops an attack by not allowing run-time modification of parameters in listener.ora. After setting this parameter, the listener program will refuse to accept SET commands that alter its parameters and attempting to issue a SET command will result in the generation of an error message. Thus, to change any one of the parameters in listener.ora, including ADMIN_RESTRICTIONS_[listener_name] itself, this file needs to be edited directly and the parameters need to be reloaded (e.g., LSNRCTL RELOAD) for the new changes to take effect. You can also stop and restart the listener program to reload these parameters. Operating system access to the protected Oracle account owner directories and files is required to edit listener.ora. Note that the Oracle account owner directories and files must be protected on the operating system by setting the access control permissions on them as recommended by Oracle Corporation in its user manuals.



ADMIN_RESTRICTIONS_[listener_name]=OFF is the default value when the listener program is installed in order to maintain current customer environments and backward compatibility. There is no change in the run-time behavior of the listener program or in the syntax of the SET commands in this mode of operation. You should set the listener password even if you have set this parameter.

> FIX/RECOMMENDATION: To set the parameter, add or modify the ADMIN_RESTRICTIONS_[listener name] parameter to the listener.ora file. Add the line ADMIN_RESTRICTIONS_[listener name] = ON (where [listener name] is the actual listener name in the listener.ora file) .  



Then use the lsnrctl process to stop and start the Oracle listener or to reload the parameters.  This will stop any value from being dynamically set.



0
 
LVL 74

Expert Comment

by:sdstuber
ID: 21857067
schwertner, wouldn't you say a split is in order here?
0

Featured Post

Enroll in June's Course of the Month

June's Course of the Month is now available! Every 10 seconds, a consumer gets hit with ransomware. Refresh your knowledge of ransomware best practices by enrolling in this month's complimentary course for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Working with Network Access Control Lists in Oracle 11g (part 1) Part 2: http://www.e-e.com/A_9074.html So, you upgraded to a shiny new 11g database and all of a sudden every program that used UTL_MAIL, UTL_SMTP, UTL_TCP, UTL_HTTP or any oth…
How to Unravel a Tricky Query Introduction If you browse through the Oracle zones or any of the other database-related zones you'll come across some complicated solutions and sometimes you'll just have to wonder how anyone came up with them.  …
This video shows how to copy a database user from one database to another user DBMS_METADATA.  It also shows how to copy a user's permissions and discusses password hash differences between Oracle 10g and 11g.
This video shows how to Export data from an Oracle database using the Original Export Utility.  The corresponding Import utility, which works the same way is referenced, but not demonstrated.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question