Oracl_Listener.

sam15
sam15 used Ask the Experts™
on
Is the oracle listener supposed to be run by root user only?

I have a server where i can not shut down and start listener using oracle user.

It does not make sense because oracle DBA may not have the system admin root account.

Shall i change the ownership of file and what command would you run.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2011
Top Expert 2012

Commented:
no, listener should definitely not be run by root.

normally it is run by the oracle owner

or better yet a separate account with less access especially if you enable external procedure calls
Top Expert 2011

Commented:
- set the user you login as to the ora_dba group on Windows or dba group on Unix

Author

Commented:
I checked the listner.ora file and it is owned by oracle user and belongs to oiinstall group.

The permission are rw-r--r--.

I assume I just nee to add "x" to it so oracle user can execute.

What permissions code should be granted to the file
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Actually i think i should look at the listner executable file lsnrctl and it is also owned by oracle and executable but when i try to start or stop it tells me no permissions.

any ideas?

-bash-4.2$ ls -alt lsnr*
-rwxr-x--x 1 oracle oinstall 177788 Jan 05 09:22 lsnrctl
-rwxr-xr-x 1 oracle oinstall      0 Aug 05  2009 lsnrctl0

-bash-4.2$ lsnrctl stop

LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 25-MAY-2012 18:13:23

Copyright (c) 1991, 2009, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
TNS-01190: The user is not authorized to execute the requested listener command
Most Valuable Expert 2011
Top Expert 2012

Commented:
are you logged in as oracle?

Author

Commented:
yes. I logged in as oracle. I do not use root account.
Most Valuable Expert 2011
Top Expert 2012

Commented:
sorry I let this one drop off my radar.


what does your listener.ora look like?

if you want, before posting, you can remove any static registration entries as they aren't pertinent to the problem
Verify that the ORACLE_HOME  + PATH are the same as the ORACLE_HOME where the listener was started from:
$ lsnrctl
LSNRCTL> show oracle_home

Open in new window


:p

Author

Commented:
LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 29-MAY-2012 18:59:50

Copyright (c) 1991, 2009, Oracle.  All rights reserved.

Welcome to LSNRCTL, type "help" for information.

LSNRCTL> show ORACLE_HOME
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
TNS-01190: The user is not authorized to execute the requested listener command
LSNRCTL>

-bash-4.2$ echo $ORACLE_HOME


See the attached file for listener.ora. I have two listeners running because of some requirements.


/u01/app/oracle/product/11.2.0/dbhome_1
listener.txt
Most Valuable Expert 2012
Distinguished Expert 2018

Commented:
Please post the results of the following from lsnrctl:  show current_listener
Richard OlutolaConsultant

Commented:
I noticed you're on 11.2. Do you have a separate infrastructure owner? If so, you should try starting or stopping the listener as that user because listener would have been installed under that account. Just a thought.
R.
rolutola is correct, that is why i suggested to verify the ORACLE_HOME from where the listener was started from.
;)

Author

Commented:
LSNRCTL> show current_listener
Current Listener is LISTENER

How do i check if there is a differnt infrastructure owner. I did not install he software.
I see that all directories under oracle home re owned by user "oracle".

The lsnrctl is alos owned by oracle user and i log in using oracle user.
So i am still not sure why it wont let me run some of the listener commands unless i log in as root.
Richard OlutolaConsultant
Commented:
Check for all instances of lsnrctl with

locate lsnrctl

This will list all occurences and that will tell us who else may own lsnrctl.

Also cat /etc/passwd and show us the last few names there, especially about 5 before and after oracle.

R.
Or you could also use the command:
$ ps -ef|grep tns

Open in new window

:p

Author

Commented:
Here are the results

-bash-4.2$ locate lsnrctl
/OraDb11g/network.112/e10835/lsnrctl.htm
/u01/app/oracle/product/11.2.0/dbhome_1/bin/lsnrctl
/u01/app/oracle/product/11.2.0/dbhome_1/bin/lsnrctl0

-bash-4.2$ cd $ORACLE_HOME
-bash-4.2$ pwd
/u01/app/oracle/product/11.2.0/dbhome_1
-bash-4.2$ cd bin
-bash-4.2$ ls -alt lsnr*
-rwxr-x--x 1 oracle oinstall 177788 Jan 15 09:22 lsnrctl
-rwxr-xr-x 1 oracle oinstall      0 Aug 01  2009 lsnrctl0




oracle:x:502:506::/home/oracle:/bin/bash
mike:x:503:503:Mike:/home/mike:/bin/bash


-bash-4.2$ ps -ef|grep tns
root        10     2  0  2011 ?        00:00:00 [netns]
oracle    2045  1550  0 15:21 pts/0    00:00:00 grep --color=auto tns
daemon    4789     1  0 May17 ?        00:02:38 /u01/app/oracle/product/11.2.0/dbhome_1/bin/tnslsnr LISTENER -inherit
daemon    9094     1  0 May18 ?        00:00:55 /u01/app/oracle/product/11.2.0/dbhome_1/bin/tnslsnr listener_tips -inherit
Richard OlutolaConsultant

Commented:
What errors do you get when you attempt to start or stop the listener?
Is the listener currently up or down?

R.

Author

Commented:
I cant start/stop the listener usnig oracle account (only root).

-bash-4.2$ lsnrctl stop

LSNRCTL for Linux: Version 11.2.0.1.0 - Production on 25-MAY-2012 18:13:23

Copyright (c) 1991, 2009, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
TNS-01190: The user is not authorized to execute the requested listener command
Richard OlutolaConsultant

Commented:
What do you mean by
"I cant start/stop the listener usnig oracle account (only root)"?

Are you logged in as root or are you logged in as oracle?

Do you know if the listener is password protected?

R.
Most Valuable Expert 2012
Distinguished Expert 2018
Commented:
>>Do you know if the listener is password protected?

There are no password entries in the posted listenre.ora file.  Also in 11gR2 this has been deprecated.


From post http:#a38043052 the listener was started by 'daemon'  Per the docs, only this user and root can do anything with the listener.

I suggest you change your startup scripts to start the listener as oracle.

http://docs.oracle.com/cd/E11882_01/network.112/e10836/listenercfg.htm#autoId8

As a policy, the listener can be administered only by the user who started it. This is enforced through local operating system authentication. For example, if user1 starts the listener, then only user1 can administer it. Any other user trying to administer the listener gets an error. The super user is the only exception.
From the following:
-bash-4.2$ ps -ef|grep tns
root        10     2  0  2011 ?        00:00:00 [netns]
daemon    4789     1  0 May17 ?        00:02:38 /u01/app/oracle/product/11.2.0/dbhome_1/bin/tnslsnr LISTENER -inherit
daemon    9094     1  0 May18 ?        00:00:55 /u01/app/oracle/product/11.2.0/dbhome_1/bin/tnslsnr listener_tips -inherit
You have TWO listeners excuting and both were NOT started as "oracle" account.

You must login as root and "kill" those process, then login as oracle and start the listener.
:p

Author

Commented:
<<I suggest you change your startup scripts to start the listener as oracle.>>

How can this be done if the listener will not start/stop if i log in as oracle. The script will do the same stuff as indivdidual commands.

There is no user "daemon" on the machine. This must be a unix thing. I did not install the software but it seems they may have created a listener using a root account.

Cant i change the ownership of tnslsnr from "daemon" to "oracle" or shall i delete the listener using root and create a new listener using oracle account using Net Manager.
Ooops, missed slightwv's comment...he is absolutely right!
:)
Most Valuable Expert 2012
Distinguished Expert 2018

Commented:
Deamon is not an actual user:
http://en.wikipedia.org/wiki/Daemon_(computing)

You can probably check the parent pid to see what started it.  It is likely a startup script executed as root and not oracle.

>>Cant i change the ownership of tnslsnr from "daemon" to "oracle"

Yes, do what was posted in http:#a38048742:  kill the processes as root and restart the listeners as oracle. No need to reconfigure anything with netca.

You will also need to work the the sys admin to configure the startup scripts to run oracle processes as the oracle user.

Author

Commented:
I did kill the two tns processes using "killall -9 processname" command (Linux) using process name.

I normally log in as my user account and then su to root account.

I loogged in as oracle and tried to start the lsitener and i got this error


LSNRCTL> start listener
Starting /u01/app/oracle/product/11.2.0/dbhome_1/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 11.2.0.1.0 - Production
System parameter file is /u01/app/oracle/product/11.2.0/dbhome_1/network/admin/l                             istener.ora
Log messages written to /u01/app/oracle/diag/tnslsnr/test1/listener/alert/log                             .xml
Error listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
TNS-12555: TNS:permission denied
 TNS-12560: TNS:protocol adapter error
  TNS-00525: Insufficient privilege for operation
   Linux Error: 1: Operation not permitted

Listener failed to start. See the error message(s) above...
Most Valuable Expert 2012
Distinguished Expert 2018

Commented:
Try this from:
https://forums.oracle.com/forums/thread.jspa?threadID=931431&tstart=9

cd /u01/app/oracle/product/11.2.0/dbhome_1/bin
strace ./lsnrctl start

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial