Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle9i/AIX5.2: multiple sys (sysdba) passwords Question

Re: Oracle9i/AIX5.2: multiple sys (sysdba) passwords Question

From: Alvaro Fuentes <alvarof2_at_hotmail.com>
Date: Sun, 11 Jul 2004 16:19:40 -0500
Message-ID: <ccsag4$gh2$1@ausnews.austin.ibm.com> 





David Fitzjarrell wrote:



> "Alvaro Fuentes" <alvarof2_at_hotmail.com> wrote in message news:ccs0ru$dh4$1_at_ausnews.austin.ibm.com...

> 


>>Sybrand Bakker wrote:
>>
>>>On Sun, 11 Jul 2004 08:31:34 GMT, "A. Fuentes" <alvarof2_at_hotmail.com>
>>>wrote:
>>>
>>>
>>>
>>>>Fellow Oracle users:
>>>>
>>>>I am running Oracle 9.2.0.2 on AIX 5.2.
>>>>
>>>>I did
>>>>
>>>>rm $ORACLE_HOME/dbs/orapw
>>>>
>>>>Thereafter I did, as the oracle:dba AIX user:
>>>>
>>>>orapwd file=$ORACLE_HOME/dbs/orapw password=changed entries=30
>>>>
>>>>(the orapwd command executed OK, no error returned),
>>>>and I can authenticate not only by running:
>>>>
>>>>sqlplus sys/"changed as sysdba"
>>>>
>>>>but with some other passwords.
>>>>
>>>>How is this possible? (Shouldn't the password "changed" be unique and the
>>>>only one for sys (as sysdba)?
>>>>
>>>>Any light on this issue will be greatly appreciated.
>>>>
>>>>
>>>>Best,
>>>>
>>>>A. Fuentes
>>>>512-297-9937
>>>>
>>>>
>>>
>>>If you are on the server doing this and you installed the Oracle files
>>>are owned by the Unix group  dba, yes: you can use anything to
>>>connect, by design. On Unix platforms all users in the dba group have
>>>SYSDBA privilege, by design.
>>>Right now, you have several options:
>>>- Make sure the Oracle password can't be guessed
>>>- Remove all other users from the dba group
>>>- If you still think there are people who will misuse the Oracle
>>>account, make sure they are fired.
>>>
>>>And of course, this is documented in the installation manual no one
>>>cares to read.
>>>
>>>
>>>--
>>>Sybrand Bakker, Senior Oracle DBA
>>
>>
>>But in this situation, is NOT that several users in
>>the dba group can connect as sysdba. Oracle is the ONLY
>>user in the dba group and SYS is the ONLY user with SYSDBA
>>grant.
>>
>>This situation refers to SYS as SYSDBA being able to use
>>other password different that the one set by the command
>>orapwd.
>>
>>Again any light on this issue greatly appreciated.
>>
>>
>>A. Fuentes
>>512-297-9937
>>




> 

> 

> Sybrand has already explained this to you, however I shall do it

> again:

> 

> The Oracle user on a UNIX/Linux system is a member of the dba group;

> ANY member of this group can connect to sys as sysdba with,

> apparently, ANY PASSWORD THEY CHOOSE.  I state APPARENTLY as O/S

> authentication is being used to grant access as SYS AS SYSDBA.  Try

> this as any other O/S user and you'll soon find out that there ARE NOT

> multiple passwords for SYS AS SYSDBA, only one, the one you've set. 

> What you're seeing is probably this:

> 

> $ su - oracle

> Password:

> $ sqlplus /nolog

> ....

> 

> SQL> connect "sys/whatever_i_want_to_type_here as sysdba"

> Connected.

> SQL>


> 

> Or:

> 

> $ su - oracle

> Password:

> $ sqlplus /nolog

> ....

> 

> 

> SQL> connect sys as sysdba

> Password: i_type_anything_here_and_it_works

> Connected.

> 

> This is documented, and intended, behaviour.  As Oracle you should be

> connecting in this manner:

> 

> $ su - oracle

> Password:

> $ sqlplus /nolog

> ....

> 

> 

> SQL> connect / as sysdba

> Connected.

> SQL>


> 

> As the Oracle O/S user you are authenticated through the O/S since

> you're a member of the dba group, making a password unnecessary if you

> connect locally.  THIS does NOT mean there is no password for SYS AS

> SYSDBA, or that there are multiple passwords for this privileged

> account.  No account in an Oracle database may have any more than ONE

> password, and this includes SYS AS SYSDBA.  Remote connections as SYS

> AS SYSDBA will require the CORRECT password unless you have a secure

> connection to the database server.  There is only ONE correct password

> in such cases, as you'll find out when you attempt to connect from a

> machine other than the database server.

> 

> You've had PLENTY of light shed on this "issue", which is NOT an issue

> at all.  I would read the responses again, and, if these don't give

> you any clue I'd start reading the documentation, starting here:

> 

> http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96521/dba.htm#11049

> 

> If the documentation doesn't shed the proper amount of light on this,

> possibly you need to seriously think about hiring a qualified Oracle

> DBA.


> 

> David Fitzjarrell





I like to think as this being a friendly forum
where  the Oracle newbie can ask NEWBIE questions.
despite some harsh answers.



Hopefully that won't change because of the few
Received on Sun Jul 11 2004 - 16:19:40 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US