Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: What is exactly the INTERNAL login? How to protect it?

Re: What is exactly the INTERNAL login? How to protect it?

From: Vsevolod Afanasjev <afanasjev_at_cse.unsw.edu.au>
Date: 1997/10/02
Message-ID: <34338616.1597@cse.unsw.edu.au>#1/1

This is very interesting question.
To the my best knowledge, the answer is:

  1. INTERNAL is a special (build-in and unremovable, similar to root in UNIX) user in Oracle, which does not have its own schema. Every time you connect as INTERNAL, you go into SYS schema (as you can determine by SELECT user FROM dual;)
  2. INTERNAL is not a "special option" of CONNECT command in SQL*DBA (or Server Manager) as I initially thought, because you can connect as INTERNAL from SQL*plus (athough I've found some funny things like I can connect by specifying CONNECT INTERNAL/password, but I cannot connect if I specify password later, when Oracle asks for it.)
  3. In systems where the password file is used, INTERNAL and SYS cannot be removed from the password file and their SYSDBA/SYSOPER privileges cannot be revoked.
  4. Some confusion cames from the fact that you should not (and, probably, must not) specify AS SYSDBA when connecting as INTERNAL. When you want to connect as SYS, you have two options: CONNECT SYS/CHANGE_ON_INSTALL -> normal connection CONNECT SYS/oracle AS SYSDBA -> connection with highest possible privileges (incl. STARTUP, SHUTDOWN, CREATE DATABASE).
  5. Finally, it is worth to mention that Oracle Adm. Guide (probably, since 7.3) says that INTERNAL is supported for backward compatibility only. I definitely know that it is possible to issue STARTUP and SHUTDOWN as SYS with SYSDBA, although I never tried to create database as SYS.

Restrict access: some OS (in particular, Win95) have enviroment variable (accessible via REGEDIT) with value equal to passoword for INTERNAL/SYS AS SYSDBA (this value is "oracle" on default installation). Remove this value and it will become impossible to start the instance without specifying the password. To change the password, create new password file.

E-mail me if you have more questions.

Seva

Pedro Pimentel Figueiredo wrote:
>
> How do you restrict the INTERNAL login? Is it a user or a special type
> of login?
>
> Thank you.
>
> Pedro Pimentel
>
> PS: please reply also by e-mail to ppf_at_geocities.com
Received on Thu Oct 02 1997 - 00:00:00 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US