| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Everyone can log on as sysdba on oracle 8i??????
"Niall Litchfield" <niall.litchfield_at_dial.pipex.com> wrote in message
news:3d499362$0$231$cc9e4d1f_at_news.dial.pipex.com...
> "Sybrand Bakker" <postbus_at_sybrandb.demon.nl> wrote in message
> news:28tiku8sdsbfqr599s83j11bigj31q6ks5_at_4ax.com...
> > On Thu, 1 Aug 2002 11:07:10 +0100, "Niall Litchfield"
> > <n-litchfield_at_audit-commission.gov.uk> wrote:
> >
> > >You can change this behaviour by modifying the value of the init.ora
> > >parameter remote_login_password_file and bouncing the database if you
> wish.
> > >
> >
> > I don't think this is true, neither for Unix nor for NT. Changing
> > remote_login_passwordfile doesn't disable O/S authentication, it only
> > governs which users have SYSDBA privs. 'internal' *always* has SYSDBA
> > privs and whether you need a password for internal is not determined
> > by remote_login_passwordfile.
> >
>
> Um but didn't the OP say that he could connect all his Oracle users 'as
> sysdba' without granting them the sysdba privilege. I don't see how else
he
> could do this.
>
> As always I may be wrong.
>
>
> --
> Niall Litchfield
> Oracle DBA
> Audit Commission UK
> *****************************************
> Please include version and platform
> and SQL where applicable
> It makes life easier and increases the
> likelihood of a good answer
> ******************************************
>
>
O/S SYSDBA authentication is not enabled by the value of remote_login_passwordfile. It also takes precendence over database authenticated access. As he has O/S authentication enabled (by virtue of the O/S user being in the DBA group, or the NT account being in the ora_dba group), and he is on that server, he can enter anything. What you mean is explicitly named users authenticated from the passwordfile, which can connect from *anywhere* using the correct username/password combo. You can switch that off by setting remote_login_passwordfile, fair enough. But once the potential intruder made it to that box, and O/S authentication IS enabled, he can enter anything as connect / as sysdba will already do. His concern is, as far as I understand the post, that *on the server* anyone can connect. This is one of the reasons why one should keep server in rooms with access systems.
Regards
-- Sybrand Bakker Senior Oracle DBA to reply remove '-verwijderdit' from my e-mail addressReceived on Thu Aug 01 2002 - 15:52:34 CDT
 |
 |