Re: Big company, little error

Hi,

I would say that this is not an error. The error you get is because the user unnx does not have the CREATE SESSION privilege. This means he cannot connect. This is what the error message says. This is unconnected to changing a users password. The same example could be done as follows:

Connected to:
Personal Oracle9i Release 9.2.0.1.0 - Production With the Partitioning, OLAP and Oracle Data Mining options JServer Release 9.2.0.1.0 - Production

SQL> connect sys/a_at_sans as sysdba
Connected.
SQL> create user unnx identified by unnx password expire;

User created.

SQL> alter user unnx identified by unnx2;

User altered.

SQL> connect unnx/unnx2
ERROR:
ORA-01045: user UNNX lacks CREATE SESSION privilege; logon denied

Warning: You are no longer connected to ORACLE. SQL> connect sys/a_at_sans as sysdba
Connected.
SQL> grant create session to unnx;

Grant succeeded.

SQL> connect unnx/unnx2
Connected.
SQL> Instead here the user SYS changes the user UNNX's password and then the user UNNX tries to connect (I realise this is concocted and the purpose of expiring the password is to make the user change it on his next connection) and receives the "LACK OF CREATE SESSION privilege" error. This shows that changing the password is unconnected to the lack of create session privilege.

BUT, you are right to make people aware of this, some may assume that the password change was rolled back (so to speak) when in fact it was not. but not a bug in the database.

kind regards

Pete

-- 
Pete Finnigan (email:pete_at_petefinnigan.com)
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.