Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: something magic about SYS.LINK$ ?

Re: something magic about SYS.LINK$ ?

From: <fitzjarrell_at_cox.net>
Date: 2 Sep 2005 12:01:05 -0700
Message-ID: <1125687665.449388.111820@g43g2000cwa.googlegroups.com> 






EdStevens wrote:


> Maxim Demenko wrote:

> > EdStevens schrieb:

> > > Oracle 9.2.0.7.0 on Win2003

> > >

> > > Stumbled on to this, and don't have an explanation:

> > >

> > > Connected as SYSTEM, with the standard, out-of-the-box DBA role:

> > >

> > > system_at_NPSTDB.WORLD> select count(*) from sys.link$;

> > > select count(*) from sys.link$

> > >                          *

> > > ERROR at line 1:

> > > ORA-01031: insufficient privileges

> > >

> > > A little further hunting shows that there are only 2 of the sys.$

> > > tables that this happens on ... SYS.LINK$ and SYS.USER_HISTORY$

> > >

> > >

> > > ???

> > >

> >

> > Maybe issue of O7_dictionary_accessibility ? If set to FALSE, all tables

> > owned by SYS must be granted explicitly ( select any table combined with

> > select any dictionary are not sufficient ).

> >

> > Best regards

> >

> > Maxim

>

> Well, O7_dictionary_accessibility = false, but if that were the issue,

> I shouldn't be able to get any of the sys.%$ tables, right?

>

> C:\>sqlplus system_at_npsp9

>

> SQL*Plus: Release 9.2.0.1.0 - Production on Fri Sep 2 13:01:52 2005

>

> Copyright (c) 1982, 2002, Oracle Corporation.  All rights reserved.

>

> Enter password:

>

> Connected to:

> Oracle9i Release 9.2.0.7.0 - Production

> JServer Release 9.2.0.7.0 - Production

>

> SQL>


> SQL>  show parameter O7

>

> NAME                                 TYPE        VALUE


> ------------------------------------ -----------

> ------------------------------

> O7_DICTIONARY_ACCESSIBILITY          boolean     FALSE

>

>

> SQL> select table_name

>   2  from dba_tab_privs

>   3  where owner='SYS'

>   4  and grantee='SYSTEM'

>   5  and table_name like '%$'

>   6  /

>

> no rows selected

>

> SQL> select count(*) from sys.link$;

> select count(*) from sys.link$

>                          *

> ERROR at line 1:

> ORA-01031: insufficient privileges

>

>

> SQL> select count(*) from sys.access$;

>

>   COUNT(*)


> ----------

>      10258

>

> There's no difference in ownership or object privileges between

> sys.link$ and sys.access$.  I'm sure I'm overlooking something, but

> what?




The fact that SYS.LINK$ and SYS.USER_HISTORY$ both contain plaintext
passwords for the accounts.  With a SYSDBA privileged account these
values are visible; any non-SYSDBA account should not have access to
such information, which may be a result of the Sarbanes-Oxley Act.  Of
course it is questinoable whether *anyone* should have access to
plaintext account passwords, and I would have expected Oracle to
maintain their policy of only storing hashed passwords in the data
dictionary.  Apparently they had a valid reason for having such views,
but I cannot understand what that reason could be.




David FItzjarrell
Received on Fri Sep 02 2005 - 14:01:05 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US