TNS-01190: The user is not authorized to execute the requested listener command Oracle Tips by Burleson Consulting

Question: When I try to start my Oracle listener process (using the lsnrctl start command), I get "TNS-01190: The user is not authorized to execute the requested listener command" error.  How can I make the listener ask the users about the password?

Answer:  This is a very common misconception and the behavior changes dramatically between Oracle 9i and 10g.  See this great note Oracle Listener Security & passwords for understanding the 9i and 10g listener password management.

Arup Nanda's book "Oracle Privacy Security Auditing" has an excellent section on security configuration.  Arup Nanda has a really good note on Oracle listener password management here:

Listener Password

When you set a password for the listener, the user must supply the correct password before issuing some damaging commands such as stopping the listener. Note: this behavior is different across Oracle versions. In Oracle 9i and earlier, a password, if set, applies to any user trying to manipulate the listener. In Oracle 10g and later, the Oracle software owner without a password can manipulate the listener. So, if a user other than the software owner tries to manipulate the listener, he has to supply the correct password, else he gets the following error:

TNS-01190: The user is not authorized to execute the requested listener command

And this message also finds its way to the listener log file such as the following line:

06-NOV-2005 13:45:06 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=prolin01)(USER=ananda

))(COMMAND=stop)(ARGUMENTS=64)(SERVICE=LISTENER_PROLIN01)(VERSION=168821760)) *

 stop * 1190

TNS-01190: The user is not authorized to execute the requested listener command

We can mine this information from the listener log using our tool. Note an important difference, however. This line has just four fields, not the usual six. Therefore, the field ACTION will show the last field on this line — the return code, i.e., 1190.

col l_user format a10

col service format a20

col logdate format a20

col host format a10

col RC format a5

select to_char(log_date,'mm/dd/yy hh24:mi:ss') logdate,
parse_listener_log_line(connect_string,'HOST') host,
       parse_listener_log_line(connect_string,'USER') l_user,
       parse_listener_log_line(connect_string,'SERVICE') service,
       action RC
from listener_log
where parse_listener_log_line(connect_string, 'COMMAND') = 'stop';

 

The output is:

 

LOGDATE              HOST       L_USER     SERVICE              RC
-------------------- ---------- ---------- -------------------- -----
10/16/05 05:35:41    prolin01   oraprol    LISTENER_PROLIN01    0
10/27/05 21:04:50    prolin01   oraprol    LISTENER_PROLIN01    0
11/06/05 13:45:06    prolin01   ananda     LISTENER_PROLIN01    1190
11/06/05 13:46:00    prolin01   ananda     LISTENER_PROLIN01    0

Read the lines of the previous example carefully. On one occasion, on 11/06/05 13:45:06, the user “ananda” issued the stop command to the listener LISTENER_PROLIN01, without supplying the right password. Does this indicate an attack? The answer lies in the next line. About a minute later, at 13:46, the user probably realized the mistake in the password and supplied the right one and started the listener properly, as shown by the Return Code of “0.”

Note:  Starting in 11gR2, the listener log is not activated by default.  You have to turn on listener logging:   logging_listener_name=on

Also see:

• Oracle Listener Security & passwords

• Blocking Oracle access by IP Addresses

• Assigning Oracle user security roles

• Oracle passwords - changing, expiring and locking users

---

If you like Oracle tuning, you may enjoy Burleson's new book "Oracle Tuning: The Definitive Reference", over 900 pages of my favorite tuning tips & scripts.  You can buy it direct from the publisher for 30%-off and get instant access to the code depot of Oracle tuning scripts.