Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: sysdba privileges and shutdown

Re: sysdba privileges and shutdown

From: Howard J. Rogers <howardjr2000_at_yahoo.com.au>
Date: Sat, 08 Mar 2003 06:20:29 +1100
Message-Id: <pan.2003.03.07.19.20.29.443296@yahoo.com.au> 





On Fri, 07 Mar 2003 17:10:07 +0000, Niall Litchfield wrote:



> "Rachel Wilson" <wilsonr_at_logica.com> wrote in message

> news:936259dc.0303070841.2cf8a6cf_at_posting.google.com...


>> i am also wondering why the unix group of dba is allowed sysdba rights
>> as a matter of course - is this not a bit of a security risk?




> 

> I'll let others answer the rest of this but here's my tuppence on the above.

> 

> 1. the dba group is only allowed sysdba rights if remote_login_password_file

> is not set to exclusive (IIRC). If it is set to exclusive you'd need to

> supply a password file. and




The dba group is *never* allowed the SYSDBA system privilege. Only (a)
grant sysdba to X; or (b) the setting up of a dba group (ORA_DBA, optionally
with a SID in there) does that.



You can only do (a) if remote_login_passwordfile is set to exclusive. 



But Oracle always checks (b) just in case. 



Hence you can have remote_login_passwordfile set to exclusive, shared or
none, be a memeber of the dba group, and still get authenticated
appropriately for the SYSDBA privilege.



Regards


HJR 






> 2. You only allow DBA's into the DBA os group surely. If your DBAs are a

> security risk you have real problems.

> 

> 

> --

> Niall Litchfield

> Oracle DBA

> Audit Commission UK

Received on Fri Mar 07 2003 - 13:20:29 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US