Re: Oracle equivalent to unix 'su - username'... connecting as someone else

On Wed, 02 Sep 1998 13:55:51 GMT, Thomas Kyte <tkyte_at_us.oracle.com> wrote:
>A copy of this was sent to jared_at_pandora.planet.net (Jared Hecker)
>(if that email address didn't require changing)
>On 1 Sep 1998 19:04:19 GMT, you wrote:
>
>>One would want to connect as a non-dba to do things like grant object
>>privileges on objects the non-dba owns to others.
>>
>>
>>landmass_at_iname.com wrote:
>>: Easiest way, is to look at the dba_users table, which holds an encrypted
>>: version of the password. If you do a "select username, password from
>>: dba_users where user_name = '????';", and then save this to a file - DO NOT
>>: DELETE IT. You can then use the 'alter user xxxx identified by yyyy;'
>>: statement to change the users password to something that you know.... When
>>: you have finished, you can change it back to its previous value: alter user
>>: xxxxx identified by values '<paste password string from file here>';
>>
>>Really?? Must try this, I didn't know this was a consistent cypher.
>>Rather defeats the purpose of encrypting the password, though.
>>
>
>why does it defeat the purpose of DIGESTING (not encrypting) the password?
>
>the password is *not* encrypted -- its a one way digest.
>
>If the user SCOTT uses the password TIGER -- it will hash to the same string of
>characters consistently on all platforms (so we can move a password for a user
>from one system to another without having to know the password).
>
>If the user BOB users the password TIGER -- it will hash to ANOTHER string but
>consistently to that other string for BOB on all platforms.
>
>Check out your /etc/shadow or /etc/passwd file on unix sometime -- you can move
>it from machine to machine (given the same OS and hardware architecture) and
>have the passwords move with you -- it works the same way. I copy unix
>passwords for people from machine to machine this way all of the time. The
>passwords are one way digests, very safe. Just because you have the digest
>doesn't mean you have the password.

Yes, but on unix you can't connect as user oracle identified by X4I0FKpJGZaNw. su does require a password if you are not root. The security for Oracle just gets shifted to OS protecting files the password (or it's digest) is in, and the way most people work they eventually miss this (like in full exports). Not that I'm complaining, this has allowed me to hack, er, heroically fix a number of situations I've walked into cold. The problem is just most people expect "typical" password security, and as you've pointed out, it's not. A semantics problem based on the history of passwording, I'd say. Oracles way is more like sudo minus the accountability (which is the point of sudo).

>
>>Regards,
>>jh
>
>
>Thomas Kyte
>tkyte_at_us.oracle.com
>Oracle Government
>Herndon VA
>
>--
>http://govt.us.oracle.com/ -- downloadable utilities
>
>----------------------------------------------------------------------------
>Opinions are mine and do not necessarily reflect those of Oracle Corporation
>
>Anti-Anti Spam Msg: if you want an answer emailed to you,
>you have to make it easy to get email to you. Any bounced
>email will be treated the same way i treat SPAM-- I delete it.

jg

-- 
These opinions are my own and not necessarily those of Information Quest or 
Pebble In The Sky http://www.informationquest.com mailto:jgarry@nospameiq.com
http://ourworld.compuserve.com/homepages/joel_garry   Remove nospam to reply.  
mailto:joel_garry_at_compuserve.nospam.com  "See your DBA?"  I AM the @#%*& DBA!