Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: RE: Re: Stop using SYS, SYSTEM?

Re: RE: Re: Stop using SYS, SYSTEM?

From: Nuno Pinto do Souto <nsouto_at_optusnet.com.au>
Date: Wed, 12 Nov 2003 21:49:25 -0800
Message-ID: <F001.005D675B.20031112214925@fatcity.com> 

 ('binary' encoding is not supported, stored as-is)


> Jacques Kilchoer <Jacques.Kilchoer_at_quest.com> wrote:

> In my case I also enforce the "don't sign on as SYS/SYSTEM" rule. The

> reasons I do that:

> - The default tablespace for SYS is SYSTEM, and I don't like to

> change that. There are probably reasons why you wouldn't want to

> change that. But when I sign on to do my DBA work to try something I

> don't want to have to specify a tablespace name every time I create a

> test object like CREATE TABLE TEST (X NUMBER) STORAGE (INITIAL 1000M)




It has nothing to do with the dba role itself and its security.  
Oracle just happens to associate user SYS with the SYSTEM tablespace.  
Fair enough that you may not want that association by default.



> - If each DBA has a named account, it's easy to tell who's logged in

> to the database by saying

> SELECT USERNAME FROM V$SESSION ;


> otherwise I would have to figure out who could be logged on as SYSTEM

> to call them and ask them if it's OK to shutdown the database.




That is a pure audit requirement: you want to know who is using
DBA access.  Nothing to do with SYSTEM.  If you remove SYS and SYSTEM,
there is nothing in USERNAME in V$SESSION that will tell you username 
BLOGGSJ is using DBA rights.  Other than your own prior knowledge that
is the case.  In a way, you're worse off.



> Telling all the DBAs "sign on as SYSTEM" would be (IMHO) like telling

> all the programmers "You can all sign on as user 'coder'" and all

> users "you can all sign on in the database as user

> 'data_entry_person'".




Don't they always?  <G>



Quite frankly, the problem as I see it is that I want to know WHO
"dropped the tablespace" and WHEN and from WHERE.  
That whoever did it had DBA access rights is a given, I don't need it 
clarified!



It's the who, when and where that is the province of auditing.  And have 
nothing to do with SYS, SYSTEM or whatever, other than as information.  
Using or not using SYS or SYSTEM adds nothing to this knowledge or 
its implicit security.  



And that's why I feel disabling SYS or SYSTEM purely on "security" grounds 
makes no sense whatsoever.  Of course, one may want to reduce the 
risk of accidents and therefore lock those out.  Even then, debatable if that is
the best way of doing it: accidentaly "dropping the tablespace" produces 
the same chaotic results regardless of what account one does it from.




Cheers


Nuno Souto


nsouto_at_wizofoz2k.com.au

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Nuno Pinto do Souto
  INET: nsouto_at_optusnet.com.au

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Wed Nov 12 2003 - 23:49:25 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US