| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: SYS vs SYSTEM
One thing I noticed is SYSTEM can do about 95% of the things SYS can do. There isn't a whole lot you cannot do with SYSTEM. But there is some. Using another account is sound advice as your less likely to own important objects, and less likely to drop them as you would never prepend SYS. in a drop statement unless you absolutely wanted to. I have seen dictionary objects dropped many times from someone running DROPOBJ.SQL or something similar under SYS/SYSTEM.
"Walking on water and developing software from a specification are easy if both are frozen."
Christopher R. Spence
Oracle DBA
Fuelspot
-----Original Message-----
Sent: Friday, June 15, 2001 7:25 AM
To: Multiple recipients of list ORACLE-L
Guy:
Maybe I'm too conservative, but I don't even use SYSTEM unless necessary and I hardly ever use SYS. I will usually create my own account and grant it DBA privileges. IMHO, your reasoning here is sound. SYS, as you point out, can do absolutely anything. Therefore, my reasoning is "don't use any more privileges than you have to." That way, you can't get into trouble later. I also feel that this provides a more appropriate security model: everyone has their own account, including DBAs, so privileges can be granted/revoked per user. Also, it saves on having to change the SYS and SYSTEM passwords every time someone leaves the shop or changes roles. For me, it would be like always logging in to a UNIX box as root. More privileges than necessary usually leads to more problems than necessary.
Does that make sense?
-- Jon Walthour, OCDBA Oracle DBA Computer Horizons Cincinnati, OhioReceived on Fri Jun 15 2001 - 07:20:11 CDT
> From: "Guy Hammond" <guy.hammond_at_avt.co.uk>
> Organization: Fat City Network Services, San Diego, California
> Reply-To: ORACLE-L_at_fatcity.com
> Date: Fri, 15 Jun 2001 01:55:43 -0800
> To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
> Subject: SYS vs SYSTEM
>
> Hi all,
>
> I generally use SYSTEM rather than SYS for DBA work, and would like to
> discourage the use of SYS as much as possible. Partly because it
> bypasses auditing and the profile, and also because I tend to regard SYS
> as being for Oracle-specific things (like running scripts from
> $ORACLE_HOME/rdbms/admin) and SYSTEM for doing the day-to-day tasks
> (like administering storage, performance monitoring etc).
>
> Does this reasoning make sense? And, what would be a good way to explain
> it to developers who've gotten used to writing app installation scripts
> than run as SYS (for example, they might refer to AQ$_AGENT rather than
> SYS.AQ$_AGENT)?
>
> Thanks,
>
> g.
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author: Guy Hammond
> INET: guy.hammond_at_avt.co.uk
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
-- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jon Walthour INET: jwalthour_at_mac.com Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Christopher Spence INET: cspence_at_FuelSpot.com Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
 |
 |