| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: sysdba privileges and shutdown
On Sat, 08 Mar 2003 06:27:27 +1100, "Howard J. Rogers"
<howardjr2000_at_yahoo.com.au> wrote:
>
>> Just to set things straight, adding to the answer of Tanel
>>
>> remote_login_passwordfile = none (the default) only internal (/ as
>> sysdba) has sysdba privilege, SYS doesn't have sysdba privilege (this
>> has changed in 9i)
>
>Beg to differ. If remote_login_passwordfile is none, then you do not have
>a password file.
NOT true. You still can have a password file. Whether it is used or
not is a different matter. If you want to nit-pick then you'd better
prepeare yourself.
Therefore, you must be doing privileged user
>authentication using OS techniques. Therefore, anyone who is included in
>the dba group (or its Windows equivalent) can log on as a privileged user.
Did I say something else. Geeeeeeeeezzzzzzz
>And a show user when having done so will report you to be SYS. And that
>was true in 8.0, 8i and remains true in 9i.
>
>The only thing that has changed in 9i is that SYS can no longer log in as
>an *ordinary* user, but *only* as SYSDBA. And even that is not a permanent
>thing, but merely a consequence of o7_dictionary_accessibility defaulting
>now to FALSE. Set it back to TRUE, and even SYS can simply do a 'connect
>sys/password'.
>
>> remote_login_passwordfile = shared: internal and SYS have sysdba
>> privilege. This means *remote* connections on a client system could get
>> privilege when connecting as SYS as sysdba
>
>Not quite. R_L_P=shared means you are using password file authentication,
>but no real, human, users can be given the SYSDBA privilege and added into
>the password file. A 'grant sysdba to fred' will fail. But a 'connect
>sys/password as sysdba' will work. A connect / as sysdba might also work,
>since the mere existence of a password file does not suddenly switch off
>O/S authentication checks.
R_P_L=shared will allow you to connect sys as SYSDBA from ANYWHERE IN A NETWORK. R_P_L is none will allow SYSDBA on the server only. Please try to read before having me look like silly
>
>> remote_login_passwordfile=exclusive:
>> ANY user, provided explicitly granted, can have SYSDBA privilege
>>
>
>Regards
>HJR
Sybrand Bakker, Senior Oracle DBA
To reply remove -verwijderdit from my e-mail address Received on Fri Mar 07 2003 - 15:44:10 CST
 |
 |