Re: Oracle9i/AIX5.2: multiple sys (sysdba) passwords Question

"Alvaro Fuentes" <alvarof2_at_hotmail.com> wrote in message news:ccs0ru$dh4$1_at_ausnews.austin.ibm.com...
>
> Sybrand Bakker wrote:
> > On Sun, 11 Jul 2004 08:31:34 GMT, "A. Fuentes" <alvarof2_at_hotmail.com>
> > wrote:
> >
> >
> >>Fellow Oracle users:
> >>
> >>I am running Oracle 9.2.0.2 on AIX 5.2.
> >>
> >>I did
> >>
> >>rm $ORACLE_HOME/dbs/orapw
> >>
> >>Thereafter I did, as the oracle:dba AIX user:
> >>
> >>orapwd file=$ORACLE_HOME/dbs/orapw password=changed entries=30
> >>
> >>(the orapwd command executed OK, no error returned),
> >>and I can authenticate not only by running:
> >>
> >>sqlplus sys/"changed as sysdba"
> >>
> >>but with some other passwords.
> >>
> >>How is this possible? (Shouldn't the password "changed" be unique and the
> >>only one for sys (as sysdba)?
> >>
> >>Any light on this issue will be greatly appreciated.
> >>
> >>
> >>Best,
> >>
> >>A. Fuentes
> >>512-297-9937
> >>
> >>
> >
> > If you are on the server doing this and you installed the Oracle files
> > are owned by the Unix group dba, yes: you can use anything to
> > connect, by design. On Unix platforms all users in the dba group have
> > SYSDBA privilege, by design.
> > Right now, you have several options:
> > - Make sure the Oracle password can't be guessed
> > - Remove all other users from the dba group
> > - If you still think there are people who will misuse the Oracle
> > account, make sure they are fired.
> >
> > And of course, this is documented in the installation manual no one
> > cares to read.
> >
> >
> > --
> > Sybrand Bakker, Senior Oracle DBA
>
>
> But in this situation, is NOT that several users in
> the dba group can connect as sysdba. Oracle is the ONLY
> user in the dba group and SYS is the ONLY user with SYSDBA
> grant.
>
> This situation refers to SYS as SYSDBA being able to use
> other password different that the one set by the command
> orapwd.
>
> Again any light on this issue greatly appreciated.
>
>
> A. Fuentes
> 512-297-9937
>

Sybrand has already explained this to you, however I shall do it again:

The Oracle user on a UNIX/Linux system is a member of the dba group; ANY member of this group can connect to sys as sysdba with, apparently, ANY PASSWORD THEY CHOOSE. I state APPARENTLY as O/S authentication is being used to grant access as SYS AS SYSDBA. Try this as any other O/S user and you'll soon find out that there ARE NOT multiple passwords for SYS AS SYSDBA, only one, the one you've set. What you're seeing is probably this:

$ su - oracle
Password:
$ sqlplus /nolog
....

SQL> connect "sys/whatever_i_want_to_type_here as sysdba" Connected.
SQL> Or:

$ su - oracle
Password:
$ sqlplus /nolog
....

SQL> connect sys as sysdba
Password: i_type_anything_here_and_it_works Connected.

This is documented, and intended, behaviour. As Oracle you should be connecting in this manner:

$ su - oracle
Password:
$ sqlplus /nolog
....

SQL> connect / as sysdba
Connected.
SQL> As the Oracle O/S user you are authenticated through the O/S since you're a member of the dba group, making a password unnecessary if you connect locally. THIS does NOT mean there is no password for SYS AS SYSDBA, or that there are multiple passwords for this privileged account. No account in an Oracle database may have any more than ONE password, and this includes SYS AS SYSDBA. Remote connections as SYS AS SYSDBA will require the CORRECT password unless you have a secure connection to the database server. There is only ONE correct password in such cases, as you'll find out when you attempt to connect from a machine other than the database server.

You've had PLENTY of light shed on this "issue", which is NOT an issue at all. I would read the responses again, and, if these don't give you any clue I'd start reading the documentation, starting here:

http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96521/dba.htm#11049

If the documentation doesn't shed the proper amount of light on this, possibly you need to seriously think about hiring a qualified Oracle DBA. David Fitzjarrell Received on Sun Jul 11 2004 - 15:01:53 CDT