Additional security considerations, Additional security considerations -3 – Oracle B12255-01 User Manual

Oracle HTTP Server Processing Model

Managing Server Processes

4-3

Additional Security Considerations

For additional security on UNIX, you can change the user to “nobody”. Be sure that
the child processes can accomplish their tasks as the user “nobody”. Change all
static content, such as the ORACLE_HOME/Apache/Apache/htdocs directory on
UNIX or ORACLE_HOME\Apache\Apache\htdocs on Windows, so that all the
files are readable, but ideally not writable by the user “nobody”. Also, verify that all
the CGI and FastCGI programs can be run by user “nobody”.

After making manual configuration changes to DAD passwords, it is recommended
that the DAD passwords are obfuscated by running the “dadTool.pl” script
located in ORACLE_HOME/Apache/modplsql/conf.

If your PL/SQL application is using the file-system caching functionality in mod_
plsql

, then the httpd processes should have read and write privileges to the cache

directory through the parameter

PlsqlCacheDirectory

in ORACLE_

HOME/Apache/modplsql/conf/cache.conf

on UNIX or ORACLE_

HOME\Apache\modplsql\conf\cache.conf

on Windows. By default, this

parameter points to ORACLE_HOME/Apache/modplsql/cache on UNIX or
ORACLE_HOME\Apache\modplsql\cache

on Windows.

Finally, given that the cached content might contain sensitive data, the final contents
of the file-system cache should be protected. So, although Oracle HTTP Server
might run as “nobody”, access to the system as this user should be well-protected.

See Also:

"PlsqlDatabasePassword"

on page 7-36 on instructions

on performing the obfuscation.

See Also:

"mod_plsql"

on page 7-19