| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.tools -> Re: sysoper/dba ?
"Doug O'Leary" <dkoleary_at_mediaone.net> wrote in message
news:MPG.15174f43d09fa4ca989780_at_news.randori.com...
> Hey;
>
> Another posting in my ongoing effort to clarify the things that are still
> mystifying me about Oracle.
>
> I'm pretty sure I have the procedures for granting sysoper/sysdba
> privileges to certain accounts. I'm working with Oracle 8i (8.1.5) on
> Redhat Linux, so my assumptions are geared towards that environment.
>
> I'm hoping to verify/rectify my assumptions:
>
> 1. Under UNIX, in order to be able to switch on sysoper/sysdba roles,
> the user in question must be in the dba group or have the role assigned
> to him via the connect sys/${pwd} as sysdba route.
>
> 2. This role is not enabled by default but must be switched on via
> the connect as ${user}/${pwd} as sysdba|sysoper.
>
> 3. Presupposing the operating system doesn't support a group type
> functionality, Oracle supplies a utility, orapwd that will password
> protect sys and connect internal. Once protected, the dba can then grant
> the sysoper/sysdba roles as ref'ed above.
>
> So, how close are those assumptions? Any info greatly appreciated.
>
> One further question. As the UNIX admin, I've long known that I can
> start up/shut down Oracle databases by the following route:
>
> # su - oracle
> # svrmgrl << eof
> connect internal
> shutdown immediate
> exit
> eof
>
> To date, I haven't supported an environment where I could not do that.
> Can I use the orapwd utility to password protect that? I'm thinking that
> I can; however, I'm also betting that's going to mess up the automated
> oracle startup because it'll be asking for a password. I would think it
> could be put in the startup script, but root has access to those, so
> putting it in there kind of circumvents the reason for pwd protecting
> internal.
>
> Any info on that as well would be greatly appreciated.
>
> Thanks for your time.
>
> Doug O'Leary
>
> --
> -------------------
> Douglas K. O'Leary
> Senior System Admin
> dkoleary_at_mediaone.net
1 Anyone with an unix account in the dba group can use
connect <anything>/<anything> as sysdba
or
connect / as sysdba
This is local os authentication
Anyone *outside* the dba group
needs
a) to use connect sys/<password in orapwd, by default oracle> as sysdba
b) or have their account setup as SYSDBA account.
This is accomplished by
1 setting remote_login_password_file to true in init<sid>.ora
2 bouncing the database
3 granting sysdba to that user.
That said you need specific accounts to that
Anyone in the dba group has sysdba privilege by design. Hence an install
where this doesn't work is incorrect.
AFAIK, you can't disable this and you shouldn't disable this. If you are
already logging in as a privileged user, you can create havoc anyway, even
without that password.
So I would
- try to move away from using internal. It is obsolete and it has been
removed in Oracle 9i. Use connect / as sysdba instead
- move away from using svrmgrl for the same reasons
use sqlplus /nolog instead
- not try to 'protect' internal with a password for the reasons above.
Hardcoding a password in startup files is a big NONO.
Hth,
Sybrand Bakker, Oracle DBA Received on Tue Mar 13 2001 - 00:16:06 CST
 |
 |