Oracle9i Installation Guide phần 4 pptx

Setup Tasks to Perform as root User

Pre-Installation Requirements 2-33

Setting up the Oracle HTTP Server for Installation

During installation, the user account that owns the Oracle HTTP Server software

must be a member of the ORAINVENTORY group in order to complete installation.

The Oracle HTTP Server also must be started by the root user in order for ports

reserved for root to be made available to the database and applications. For

security reasons, Oracle Corporation recommends that provisions be made to

change the Oracle HTTP Server group membership to a low-privileged group, and

to transfer ownership of Oracle HTTP Server processes from root to a

low-privileged account.

Improving Oracle HTTP Server Security After Installation

To improve security for database and application processes, create the Apache user.

Configure the Oracle HTTP Server to transfer ownership of its processes from root

to the Apache user by using the Apache configuration parameter user, which

resets user ownership of processes spawned by Apache once the server starts.

Assign ownership of listener and module actions for the Oracle HTTP Server to this

user. This post-installation process is described in "Changing Group Membership of

the Apache User" on page 4-4.

Assign required access privileges to all Apache related module components to this

user such that Apache and its modules can function as expected while minimizing

security risks.

The Apache user should have minimal user privileges, and should not be a member

of any groups whose files are not intended to be visible to the public. The nobody

user account that many UNIX systems have can serve as a model for the Apache

user. Be aware that all Web servers open to the public are at risk of being

compromised, and take measures accordingly to minimize exposure to that risk.

Table 2–9 describes the properties of the APACHE account.

Caution: Configuring the Apache user with OSDBA group or

oracle user privileges compromises database security. If the

Apache user needs additional rights to run programs, use the

Apache suEXEC feature to obtain additional rights for the Apache

user.

If a user other than root starts the Oracle HTTP server, any

scripts, servlets, or programs spawned by the Oracle HTTP server

will have the same privileges as that user.

Setup Tasks to Perform as root User

2-34 Installation Guide

Table 2–10 lists the utilities to create the Apache user. Use the utility that

corresponds to your platform.

Table 2–9 Properties of the Apache User for Installation

Property Description

Login Name The Apache user may be given any name, but this guide refers

to it as the Apache user.

Primary GID The primary group must be the same group that owns the

oraInventory directory. The location of the oraInventory

directory is defined in the /etc/oraInst.loc file for AIX.

The location of the oraInventory directory is defined in the

/var/opt/oracle/oraInst.loc file for HP, Linux, Solaris,

and Tru64. The default group name that has ownership of the

oraInventory directory is the ORAINVENTORY group. For

security reasons, this group ownership must be changed after

installation. For more information, see "Changing Group

Membership of the Apache User" on page 4-4.

Secondary GID The secondary group should be one in which only the Apache

user is a member.

Home Directory Choose a home directory consistent with other user home

directories.

Table 2–10 Utility to Add the Apache User

Platform Utility

AIX smit

HP sam

Linux useradd (any GNOME or KDE based User Admin Tool)

Solaris admintool or useradd

Tru64 adduser or useradd