Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Locking the SYS account.

RE: Locking the SYS account.

From: <oracle-l-bounce_at_freelists.org>
Date: Thu, 4 Jan 2007 09:12:50 -0500
Message-ID: <ABB9D76E187C5146AB5683F5A07336FFE089C5@EXCNYSM0A1AJ.nysemail.nyenet> 





Tom,



My point was if that we were allowed to lock the sys account and it was
truly locked - ie we were not allowed to connect to it like other
accounts when they were locked - it would be a bad thing.



As it is now, Oracle allowing the account to be locked and then ignored
when we connect "as sysdba" to me is a contradiction in terms.  Why even
report that the account is "locked"?  We can't connect to sys unless we
connect "as sysdba" anyway.



To me, locked is locked.  Can't connect to it.



So Denham's quest to lock the sys account for auditors purposes (I
forget why he really needed to do it) is a fools errand.  A DBA (or
someone in the DBA group) can always connect to the database.



A better solution would be to audit all connections to track who is
connecting.



Tom



-----Original Message-----



From: Terrian, Tom (Contractor) (J6D) [mailto:Tom.Terrian.ctr_at_dla.mil] 
Sent: Thursday, January 04, 2007 9:00 AM
To: Terrian, Tom (Contractor) (J6D); Mercadante, Thomas F (LABOR);
rgoulet_at_kanbay.com; oracle-l_at_freelists.org
Subject: RE: Locking the SYS account.



Thomas, are you on Windows?



-----Original Message-----



From: Terrian, Tom (Contractor) (J6D) 


Sent: Wednesday, January 03, 2007 4:41 PM
To: 'Mercadante, Thomas F (LABOR)'; rgoulet_at_kanbay.com;
oracle-l_at_freelists.org


Subject: RE: Locking the SYS account.



Perhaps this is a difference between UNIX and Windows?  I am on HP-UX
and there is no problem with locking and expiring SYS.  I can still do a
sqlplus /nolog and connect / as sysdba.......no problems.  I assume you
are on Windows and therefore locking and expiring SYS creates a problem
for you? 





-----Original Message-----



From: Mercadante, Thomas F (LABOR)


[mailto:Thomas.Mercadante_at_labor.state.ny.us] 
Sent: Wednesday, January 03, 2007 10:57 AM
To: Terrian, Tom (Contractor) (J6D); rgoulet_at_kanbay.com;
oracle-l_at_freelists.org


Subject: RE: Locking the SYS account.



It would be bad if it was truly locked and we were not able to connect
to do things like shut it down.  Or recover it from a crash.  Or any of
the other dozen things you can only do while connected as SYS.



Duh!



-----Original Message-----



From: Terrian, Tom (Contractor) (J6D) [mailto:Tom.Terrian.ctr_at_dla.mil] 
Sent: Wednesday, January 03, 2007 10:31 AM
To: Mercadante, Thomas F (LABOR); rgoulet_at_kanbay.com;
oracle-l_at_freelists.org


Subject: RE: Locking the SYS account.



Ok, I will bite, how is this a bad thing?  We have locked and expired
the SYS account on all of our databases for years now.  How is this bad?



-----Original Message-----



From: oracle-l-bounce_at_freelists.org


[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Mercadante, Thomas F
(LABOR)



Sent: Wednesday, January 03, 2007 10:12 AM
To: rgoulet_at_kanbay.com; oracle-l_at_freelists.org
Subject: RE: Locking the SYS account.



For good reason I think.  Being able to lock the SYS account would be a
very bad thing.






This transmission may contain confidential, proprietary, or privileged
information which is intended solely for use by the individual or entity
to whom it is addressed.  If you are not the intended recipient, you are
hereby notified that any disclosure, dissemination, copying or
distribution of this transmission or its attachments is strictly
prohibited.  In addition, unauthorized access to this transmission may
violate federal or State law, including the Electronic Communications
Privacy Act of 1985.  If you have received this transmission in error,
please notify the sender immediately by return e-mail and delete the
transmission and its attachments.




-----Original Message-----




From: oracle-l-bounce_at_freelists.org


[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Richard J. Goulet
Sent: Wednesday, January 03, 2007 10:02 AM
To: oracle-l_at_freelists.org


Subject: RE: Locking the SYS account.

 


If one does the RTFM thing one will find that SYS is immune to any and
all restrictions by default.  Therefore things like restricting idle
time via a profile don't work, nor does locking the account or expiring
the password.  Granted it's buried & not easy to find, but it's been
that way for a very LONG time.

 


Dick Goulet, Senior Oracle DBA


45 Bartlett St  Marlborough, Ma 01752, USA
Tel.: 508.573.1978 |Fax:  508.229.2019 | Cell:508.742.5795 
RGoulet_at_kanbay.com


: POWERING TRANSFORMATION 




-----Original Message-----



From: oracle-l-bounce_at_freelists.org


[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Andrey Kriushin
Sent: Wednesday, January 03, 2007 7:12 AM
To: DEVA_at_mf.co.za


Cc: oracle-l_at_freelists.org


Subject: Re: Locking the SYS account.



Denham Eva wrote:  


> What if any are the implications of locking the SYS account?
Kicking your client out of the business perhaps?



--Andrey





--



http://www.freelists.org/webpage/oracle-l




--



http://www.freelists.org/webpage/oracle-l


--



http://www.freelists.org/webpage/oracle-l







--



http://www.freelists.org/webpage/oracle-l
Received on Thu Jan 04 2007 - 08:12:50 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US