Re: connecting automatically as sys

From: Daniel Morgan <damorgan_at_x.washington.edu>
Date: Sun, 25 Jul 2004 09:43:35 -0700
Message-ID: <1090773843.65969@yasure>

Hans Forbrich wrote:

> Joe wrote:
>
>

>>On 07/20/2004 11:25 PM, Hans Forbrich said:
>>
>>>...
>>>5) I can think of no valid reason, at least effective Oracle8i, to
>>>attempt
>>>ANY coding against SYS.  Playing at that level is roughly equivalent to
>>>coding against the kernel data structures of a proprietary (closed
>>>source) OS.
>>
>>Does a password_verify_function still have to be owned by SYS?   If
>>so, I wish oracle would change that.
>>

>
>
> Password_verify_function needs to be owned by SYS, even in 9iR2.
>
> I must say I'm quite surprised that the latest Oracle8i and Oracle9i
> security capabilities do not meet your needs (see the Security Overview
> docco at http://otn.oracle.com/pls/db92/db92.docindex?remark=homepage), but
> nevertheless ...
>
> I stand corrected and ack that there are reasons for writing a function
> against SYS.
>
> I hope you take the time to look at the changes in the security model. You
> might be able to save some headache related to the Oracle9i "no svrmgl"
> situation.
>
> However for now, you would use SYSDBA-password authentication (check for
> OSDBA, OSOPER and ORAPWD in the docco). Locally, from the OS userid that
> created/owns the database, you could use
>
> SQLPLUS "/ AS SYSDBA"
>
> and remotely, or from a local non-owning OS userid, you would use
>
> SQLPLUS /NOLOG
> and return "SYS/{passwd} AS SYSDBA" (no quotes) to the first prompt.
>
> HTH
> /Hans
> (Thanks for following through and explaining at least part - probably a
> benefit to a number of others as well.)

A second justification might be with some uses for DDL and DATABASE level triggers. Though I would tend to avoid it if possible (the reasons for using SYS being political not technical).

-- 
Daniel A. Morgan
University of Washington
damorgan_at_x.washington.edu
(replace 'x' with 'u' to respond)

Received on Sun Jul 25 2004 - 11:43:35 CDT