fitzjarrell_at_cox.net schrieb:
> EdStevens wrote:
>
>>Maxim Demenko wrote:
>>
>>>EdStevens schrieb:
>>>
>>>>Oracle 9.2.0.7.0 on Win2003
>>>>
>>>>Stumbled on to this, and don't have an explanation:
>>>>
>>>>Connected as SYSTEM, with the standard, out-of-the-box DBA role:
>>>>
>>>>system_at_NPSTDB.WORLD> select count(*) from sys.link$;
>>>>select count(*) from sys.link$
>>>> *
>>>>ERROR at line 1:
>>>>ORA-01031: insufficient privileges
>>>>
>>>>A little further hunting shows that there are only 2 of the sys.$
>>>>tables that this happens on ... SYS.LINK$ and SYS.USER_HISTORY$
>>>>
>>>>
>>>>???
>>>>
>>>
>>>Maybe issue of O7_dictionary_accessibility ? If set to FALSE, all tables
>>>owned by SYS must be granted explicitly ( select any table combined with
>>>select any dictionary are not sufficient ).
>>>
>>>Best regards
>>>
>>>Maxim
>>
>>Well, O7_dictionary_accessibility = false, but if that were the issue,
>>I shouldn't be able to get any of the sys.%$ tables, right?
>>
>>C:\>sqlplus system_at_npsp9
>>
>>SQL*Plus: Release 9.2.0.1.0 - Production on Fri Sep 2 13:01:52 2005
>>
>>Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
>>
>>Enter password:
>>
>>Connected to:
>>Oracle9i Release 9.2.0.7.0 - Production
>>JServer Release 9.2.0.7.0 - Production
>>
>>SQL>
>>SQL> show parameter O7
>>
>>NAME TYPE VALUE
>>------------------------------------ -----------
>>------------------------------
>>O7_DICTIONARY_ACCESSIBILITY boolean FALSE
>>
>>
>>SQL> select table_name
>> 2 from dba_tab_privs
>> 3 where owner='SYS'
>> 4 and grantee='SYSTEM'
>> 5 and table_name like '%$'
>> 6 /
>>
>>no rows selected
>>
>>SQL> select count(*) from sys.link$;
>>select count(*) from sys.link$
>> *
>>ERROR at line 1:
>>ORA-01031: insufficient privileges
>>
>>
>>SQL> select count(*) from sys.access$;
>>
>> COUNT(*)
>>----------
>> 10258
>>
>>There's no difference in ownership or object privileges between
>>sys.link$ and sys.access$. I'm sure I'm overlooking something, but
>>what?
>
>
> The fact that SYS.LINK$ and SYS.USER_HISTORY$ both contain plaintext
> passwords for the accounts. With a SYSDBA privileged account these
> values are visible; any non-SYSDBA account should not have access to
> such information, which may be a result of the Sarbanes-Oxley Act. Of
> course it is questinoable whether *anyone* should have access to
> plaintext account passwords, and I would have expected Oracle to
> maintain their policy of only storing hashed passwords in the data
> dictionary. Apparently they had a valid reason for having such views,
> but I cannot understand what that reason could be.
>
>
> David FItzjarrell
>
I was always sure, *all* sys owned tables must be granted to be accessed
(or too often connected as sysdba to verify it ;-) if
O7_dictionary_accessibility is set to false, so never had an idea to
verify it... Short test shows, indeed , only the 2 tables you mentioned
are concerned.
Thanks for pointing on that.
Best regards
Maxim
Received on Fri Sep 02 2005 - 15:31:18 CDT
