Re: 9.2.0.1.0 sys login question

On 22 Jul 2003 09:15:17 -0700, rickraster_at_hotmail.com (RR) wrote:

>From the server (linux) commandline, I sparked up sqlplus, and typed
>in sys at the username prompt. I typo'd the login slightly by entering
>"as sysdba" as the sys password, and not the actual sys password, and
>hit enter. This logged me in as the sys user.
>
>My question then is this: is this normal behaviour?
>It's the first time I've noticed this, so my only assumption is that
>this is a product of OS authentication or something. Rather alarming
>if this happens to others as well.
>I tried the same process from a remote sqlplus session, but couldn't
>get in. SSH'ing into that server, and using sqlplus, also allowed me
>in (which makes sense given the way ssh works).
>
>Anyone able to shed any light on this?
>
>Cheers,
>
>Rick

To add to Tanels reply.

This a WAD (Working As Designed). The philosophy about it is, once you have managed to hack the server, Oracle won't be safe for you anyway. Distrust stops somewhere.
Also with the default settings you won't be capable to do it remotely, where *remotely* means 'not on the database server'

Sybrand Bakker, Senior Oracle DBA

To reply remove -verwijderdit from my e-mail address Received on Tue Jul 22 2003 - 12:50:21 CDT