Oracle Audio Technologies B10508-01 ユーザーズマニュアル
Security Information
D-28
Oracle9i Installation Guide Release 2 (9.2.0.2) for HP Alpha OpenVMS
■
Changing the "carriage-control" attribute on socket (BG) devices. The server
also enables or disables (or both) the carriage-control attribute on BG (socket)
devices for certain stream operations.
also enables or disables (or both) the carriage-control attribute on BG (socket)
devices for certain stream operations.
Two protected, shareable images are installed at startup to allow the server to
perform these functions:
perform these functions:
■
APACHE$PRIVILEGED.EXE (exec-mode services)
■
APACHE$FIXBG.EXE (kernel-mode services)
The APACHE$PRIVILEGED.EXE image provides exec-mode services for binding to
privileged sockets and fetching user default path information
privileged sockets and fetching user default path information
.
Access to these
services is limited to processes running under the ORACLE username and is
controlled by the APACHE$PLV_ENABLE_APACHE$WWW logical name
controlled by the APACHE$PLV_ENABLE_APACHE$WWW logical name
.
This
logical name is defined as:
"APACHE$PLV_ENABLE_APACHE$WWW" = "3,80,1023"
The "3,80,1023" string represents three parameters where:
■
The first parameter (3) is a bit-mask which enables or disables the two services:
■
Bit 0 controls binding to privileged ports.
■
Bit 1 controls fetching user default path information.
■
The second and third parameters are the minimum and maximum port that is
allowed to be bound.
allowed to be bound.
When a call to either service is made, the service code:
1.
Temporarily enables the privileges SYSPRV, OPER, SYSNAM, and NETMBX.
2.
Performs the function.
3.
Restores the process original privileges.
The APACHE$FIXBG.EXE_ALPHA image provides a kernel-mode service for
manipulating the carriage-control attribute for BG devices that are owned by the
calling process
manipulating the carriage-control attribute for BG devices that are owned by the
calling process
.
No special access control exists on this service
.
This function can
also be performed using a setsocketopt C RTL run-time call, but it is not
supported by all TCP/IP stack vendors, which is the reason this service exists
supported by all TCP/IP stack vendors, which is the reason this service exists
.
This service does not enable privileges, but executes in kernel mode.
Privileges Required to Start and Stop the Server
The Oracle HTTP Server runs under the ORACLE username and UIC and is started
as a detached, network process
as a detached, network process
.
During startup, protected images are installed and