Re: Oracle equivalent to unix 'su - username'... connecting as someone else

A copy of this was sent to joelga_at_pebble.org (Joel Garry) (if that email address didn't require changing) On Thu, 03 Sep 1998 22:15:40 GMT, you wrote:

>
> Yes, but on unix you can't connect as user oracle identified by
> X4I0FKpJGZaNw.

but neither can you connect in Oracle using "X4I0FKpJGZaNw". You *must* know the password. The example I posted (read the encrypted passwd out, save it, alter the USER giving them a known passwd, and then resetting them back using the encrypted password) does not use the encrypted password to login with.

This is analogous to a 'root' capable user (a dba in oracle speak) doing the following:

• saving the encrypted passwd from the /etc/shadow or /etc/passwd file
• blanking it out (so the user doesn't have a passwd)
• su'ing to the user as anyone (since they have a known passwd -- nothing -- for now)
• putting the encrypted passwd back in later.

> su does require a password if you are not root. The security for Oracle

su in Oracle requires a password of the original user if you are not a DBA (or don't have the "alter any user"/"select on dba_users" privs). su is called CONNECT in Oracle and it requires a password in all cases.

"SU" in Oracle requires "alter any user" and "select on dba_users" -- DBA priveleges and a DBA is in effect 'root' in Oracle for all intents and purposes.

I myself don't see the difference (between Unix passwords and Oracle passwords wrt this discussion). If you equate DBA with ROOT (or at least the alter any user and select on dba_users privs) -- its the same. Without a priveleged user (root user) you cannot do this magic.

If you don't have these priveleges in Oracle, then just like in Unix, you must supply the password -- you cannot use the encrypted password to connect.

> just gets shifted to OS protecting files the password (or it's
> digest) is in,
> and the way most people work they eventually miss this (like in
> full exports).

but having the encrypted password buys you nothing unless you have the alter user privelege.

> Not that I'm complaining, this has allowed me to hack, er, heroically fix
> a number of situations I've walked into cold. The problem is just most
> people expect "typical" password security, and as you've pointed
> out, it's not.

i think it *is* tho.

> A semantics problem based on the history of passwording, I'd say.
> Oracles way is more like sudo minus the accountability (which is
> the point
> of sudo).

disagree -- you have AUDITING if you want accountability, you have priveleges to protect yourself (much finer privelege set then Unix actually)  

Thomas Kyte
tkyte_at_us.oracle.com
Oracle Government
Herndon VA

--
http://govt.us.oracle.com/    -- downloadable utilities
 
----------------------------------------------------------------------------
Opinions are mine and do not necessarily reflect those of Oracle Corporation
 
Anti-Anti Spam Msg: if you want an answer emailed to you, 
you have to make it easy to get email to you.  Any bounced
email will be treated the same way i treat SPAM-- I delete it.