Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Oracle 9i and connect as sys

Re: Oracle 9i and connect as sys

From: Arup Nanda <orarup_at_hotmail.com>
Date: Sun, 17 Aug 2003 21:14:22 -0800
Message-ID: <F001.005CB3A8.20030817211422@fatcity.com>


A manager who has to create public synonyms himself! Ordinarily I would have had nothing but pure respect for the man who is obviously such a grease monkey; but he proved to be just a monkey.

Damagement title with sys password; boy how I hate to be DBA there! No, to be _anything_ there.

Arup Nanda

> Babette,
>
> This is how database security unravels. Pretty soon, the password to SYS
is
> embedded everywhere, used everywhere, and everyone knows it. Thus, the
DBA
> ends up with the pager and responsibility for fixing stuff, but everyone
> else can cause that pager to go off with a stupid goof at 3:00am where
they
> shouldn't have been able to goof up.
>
> It sounds like the patching utility only needs a couple privileges, but
> instead all of the goddess-like privileges of SYS are provided. Pretty
> soon, it seems normal for people and programs to connect as SYS on a
regular
> basis. And so it goes...
>
> A couple alternatives:
>
> * use 9i "GRANT ANY OBJECT PRIVILEGE" to let another account have
> an incredible amount of authority, which is OK if you don't know
> exactly what permissions will be needed ahead of time...
> * grant specific permissions WITH GRANT OPTION to another user, a
> more focused approach than the shotgun "GRANT ANY OBJECT PRIVILEGE"
> approach, provided you know what permissions will be needed ahead
> of time. This has been around forever...
> * encapsulate such actions within a stored procedure owed by SYS,
> which may seem cumbersome but allows all kinds of control. Not just
> "who can do what" (which is basically what permissions and roles
> provide), but also "during what time", "from where", "from what
> program", "from what location", etc...
>
> Just this Friday, I was wrapping up an installation engagement and one of
> the last things we did was change all the passwords. Standard practice.
> Immediately, one of the development managers comes boiling out of his
office
> screaming "Who changed the passwords to SYS and SYSTEM?". I 'fessed up
and
> asked him why he thought he needed it. He turned red and snarled that he
> just needed it and never you mind, turned on his heel and went in the
CIO's
> office, then came boiling back with approval. We turned it over, and
within
> 5 minutes I logged back onto the system and saw SQL*Plus running with the
> SYS/SYSTEM password visible to anyone and everyone who can run the UNIX
"ps"
> command. I looked at the scripts he was running, noticed that all he
wanted
> SYS/SYSTEM for was to create PUBLIC SYNONYMs. I left to catch my plane...
>
> Hope this helps...
>
> -Tim
>
>
>
> on 8/17/03 6:09 PM, Babette Turner-Underwood at babette_at_rogers.com wrote:
>
> > Tim / Peter / Michael
> >
> > Thanks for the information. I was afraid of that.
> > We have a patching mechanism and need to logon as
> > sys to grant access to sys objects for part of
> > the process. (to grant select on sys.dba_free_space
> > and execute on sys.dbms_util).
> >
> > However, the patching mechanism only does a regular
> > connect and not "as sysdba"--- DARN! - Will have to
> > change automation scripts if we upgrade ... and I was
> > hoping this would be easy to slide in :-(
> >
> > - Babette
> >
> > -----Original Message-----
> > Tim Gorman
> > Sent: Sunday, August 17, 2003 1:09 AM
> > To: Multiple recipients of list ORACLE-L
> >
> >
> > It's a 9i thing, across all platforms.
> >
> >
> >
> > on 8/16/03 9:29 PM, Babette Turner-Underwood at babette_at_rogers.com
wrote:
> >
> >>
> >> I have created my first 9i database on OS/390 v2.10.
> >>
> >> On my Oracle 8i instance, I can connect to the database
> >> using:
> >>
> >> sys/sys_password_at_the_instance
> >>
> >> HOWEVER, In Oracle 9i, I cannot do this. I am FORCED
> >>
> >> to connect using:
> >> sys/password_from_orapwd_at_the_instance as sysdba
> >>
> >> I was wondering if this was a new 9i "feature"
> >> or if it was configurable? Or just a weird thing
> >> because of the mainframe environment.
> >>
> >> Comments please.
> >>
> >> Thanks in Advance
> >> - Babette
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> --
> Author: Tim Gorman
> INET: tim_at_sagelogix.com
>
> Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> San Diego, California -- Mailing list and web hosting services
> ---------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
>

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Arup Nanda
  INET: orarup_at_hotmail.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Mon Aug 18 2003 - 00:14:22 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US