| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle9i/AIX5.2: multiple sys (sysdba) passwords Question
"Alvaro Fuentes" <alvarof2_at_hotmail.com> wrote in message news:ccsag4$gh2$1_at_ausnews.austin.ibm.com...
> David Fitzjarrell wrote:
>
> > "Alvaro Fuentes" <alvarof2_at_hotmail.com> wrote in message news:ccs0ru$dh4$1_at_ausnews.austin.ibm.com...
> >
> >>Sybrand Bakker wrote:
> >>
> >>>On Sun, 11 Jul 2004 08:31:34 GMT, "A. Fuentes" <alvarof2_at_hotmail.com>
> >>>wrote:
> >>>
> >>>
> >>>
> >>>>Fellow Oracle users:
> >>>>
> >>>>I am running Oracle 9.2.0.2 on AIX 5.2.
> >>>>
> >>>>I did
> >>>>
> >>>>rm $ORACLE_HOME/dbs/orapw
> >>>>
> >>>>Thereafter I did, as the oracle:dba AIX user:
> >>>>
> >>>>orapwd file=$ORACLE_HOME/dbs/orapw password=changed entries=30
> >>>>
> >>>>(the orapwd command executed OK, no error returned),
> >>>>and I can authenticate not only by running:
> >>>>
> >>>>sqlplus sys/"changed as sysdba"
> >>>>
> >>>>but with some other passwords.
> >>>>
> >>>>How is this possible? (Shouldn't the password "changed" be unique and the
> >>>>only one for sys (as sysdba)?
> >>>>
> >>>>Any light on this issue will be greatly appreciated.
> >>>>
> >>>>
> >>>>Best,
> >>>>
> >>>>A. Fuentes
> >>>>512-297-9937
> >>>>
> >>>>
> >>>
> >>>If you are on the server doing this and you installed the Oracle files
> >>>are owned by the Unix group dba, yes: you can use anything to
> >>>connect, by design. On Unix platforms all users in the dba group have
> >>>SYSDBA privilege, by design.
> >>>Right now, you have several options:
> >>>- Make sure the Oracle password can't be guessed
> >>>- Remove all other users from the dba group
> >>>- If you still think there are people who will misuse the Oracle
> >>>account, make sure they are fired.
> >>>
> >>>And of course, this is documented in the installation manual no one
> >>>cares to read.
> >>>
> >>>
> >>>--
> >>>Sybrand Bakker, Senior Oracle DBA
> >>
> >>
> >>But in this situation, is NOT that several users in
> >>the dba group can connect as sysdba. Oracle is the ONLY
> >>user in the dba group and SYS is the ONLY user with SYSDBA
> >>grant.
> >>
> >>This situation refers to SYS as SYSDBA being able to use
> >>other password different that the one set by the command
> >>orapwd.
> >>
> >>Again any light on this issue greatly appreciated.
> >>
> >>
> >>A. Fuentes
> >>512-297-9937
> >>
> >
> >
> > Sybrand has already explained this to you, however I shall do it
> > again:
> >
> > The Oracle user on a UNIX/Linux system is a member of the dba group;
> > ANY member of this group can connect to sys as sysdba with,
> > apparently, ANY PASSWORD THEY CHOOSE. I state APPARENTLY as O/S
> > authentication is being used to grant access as SYS AS SYSDBA. Try
> > this as any other O/S user and you'll soon find out that there ARE NOT
> > multiple passwords for SYS AS SYSDBA, only one, the one you've set.
> > What you're seeing is probably this:
> >
> > $ su - oracle
> > Password:
> > $ sqlplus /nolog
> > ....
> >
> > SQL> connect "sys/whatever_i_want_to_type_here as sysdba"
> > Connected.
> > SQL>
> >
> > Or:
> >
> > $ su - oracle
> > Password:
> > $ sqlplus /nolog
> > ....
> >
> >
> > SQL> connect sys as sysdba
> > Password: i_type_anything_here_and_it_works
> > Connected.
> >
> > This is documented, and intended, behaviour. As Oracle you should be
> > connecting in this manner:
> >
> > $ su - oracle
> > Password:
> > $ sqlplus /nolog
> > ....
> >
> >
> > SQL> connect / as sysdba
> > Connected.
> > SQL>
> >
> > As the Oracle O/S user you are authenticated through the O/S since
> > you're a member of the dba group, making a password unnecessary if you
> > connect locally. THIS does NOT mean there is no password for SYS AS
> > SYSDBA, or that there are multiple passwords for this privileged
> > account. No account in an Oracle database may have any more than ONE
> > password, and this includes SYS AS SYSDBA. Remote connections as SYS
> > AS SYSDBA will require the CORRECT password unless you have a secure
> > connection to the database server. There is only ONE correct password
> > in such cases, as you'll find out when you attempt to connect from a
> > machine other than the database server.
> >
> > You've had PLENTY of light shed on this "issue", which is NOT an issue
> > at all. I would read the responses again, and, if these don't give
> > you any clue I'd start reading the documentation, starting here:
> >
> > http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96521/dba.htm#11049
> >
> > If the documentation doesn't shed the proper amount of light on this,
> > possibly you need to seriously think about hiring a qualified Oracle
> > DBA.
> >
> > David Fitzjarrell
>
>
> I like to think as this being a friendly forum
> where the Oracle newbie can ask NEWBIE questions.
> despite some harsh answers.
>
> Hopefully that won't change because of the few
>
>
>
>
It is one thing to not understand a response, and ask for clarification. It is entirely another to essentially say "this is not the answer to my question, let me post it again to allow someone who UNDERSTANDS my situation to respond." This is what you did to Sybrand Bakker and his response, which was, and is still, correct. Rest assured we all understood your "issue'. Sybrand posted first, and gave you the information you needed. You thought otherwise, and so I responded, in terms you received as less than sweet, to further explain your problem. Now you chastise me for your misunderstanding and your repeated post asking again for that which you had already received.
Next time you do not understand a response it would be much better of you to ask for a better explanation, rather than post the same question again hoping for a different response. Your situation was not dire, except to you, and this was explained to you by Sybrand Bakker. My further explanation apparently hit the mark, and, as such, also gave you the information you requested. That you took it as rude is your perception, as my demeanor when I posted it was not of anger, but of annoyance, annoyance that you did not understand the original answer and expected something different the next time you asked.
This road goes both ways.
David Fitzjarrell Received on Sun Jul 11 2004 - 19:52:44 CDT
 |
 |