Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: something magic about SYS.LINK$ ?

Re: something magic about SYS.LINK$ ?

From: EdStevens <quetico_man_at_yahoo.com>
Date: 2 Sep 2005 14:14:19 -0700
Message-ID: <1125695659.357608.260170@f14g2000cwb.googlegroups.com> 






fitzjarrell_at_cox.net wrote:


> EdStevens wrote:

> > Maxim Demenko wrote:

> > > EdStevens schrieb:

> > > > Oracle 9.2.0.7.0 on Win2003

> > > >

> > > > Stumbled on to this, and don't have an explanation:

> > > >

> > > > Connected as SYSTEM, with the standard, out-of-the-box DBA role:

> > > >

> > > > system_at_NPSTDB.WORLD> select count(*) from sys.link$;

> > > > select count(*) from sys.link$

> > > >                          *

> > > > ERROR at line 1:

> > > > ORA-01031: insufficient privileges

> > > >

> > > > A little further hunting shows that there are only 2 of the sys.$

> > > > tables that this happens on ... SYS.LINK$ and SYS.USER_HISTORY$

> > > >

> > > >

> > > > ???

> > > >

> > >

> > > Maybe issue of O7_dictionary_accessibility ? If set to FALSE, all tables

> > > owned by SYS must be granted explicitly ( select any table combined with

> > > select any dictionary are not sufficient ).

> > >

> > > Best regards

> > >

> > > Maxim

> >

> > Well, O7_dictionary_accessibility = false, but if that were the issue,

> > I shouldn't be able to get any of the sys.%$ tables, right?

> >

> > C:\>sqlplus system_at_npsp9

> >

> > SQL*Plus: Release 9.2.0.1.0 - Production on Fri Sep 2 13:01:52 2005

> >

> > Copyright (c) 1982, 2002, Oracle Corporation.  All rights reserved.

> >

> > Enter password:

> >

> > Connected to:

> > Oracle9i Release 9.2.0.7.0 - Production

> > JServer Release 9.2.0.7.0 - Production

> >

> > SQL>


> > SQL>  show parameter O7

> >

> > NAME                                 TYPE        VALUE


> > ------------------------------------ -----------

> > ------------------------------

> > O7_DICTIONARY_ACCESSIBILITY          boolean     FALSE

> >

> >

> > SQL> select table_name

> >   2  from dba_tab_privs

> >   3  where owner='SYS'

> >   4  and grantee='SYSTEM'

> >   5  and table_name like '%$'

> >   6  /

> >

> > no rows selected

> >

> > SQL> select count(*) from sys.link$;

> > select count(*) from sys.link$

> >                          *

> > ERROR at line 1:

> > ORA-01031: insufficient privileges

> >

> >

> > SQL> select count(*) from sys.access$;

> >

> >   COUNT(*)


> > ----------

> >      10258

> >

> > There's no difference in ownership or object privileges between

> > sys.link$ and sys.access$.  I'm sure I'm overlooking something, but

> > what?


>




> The fact that SYS.LINK$ and SYS.USER_HISTORY$ both contain plaintext

> passwords for the accounts.  With a SYSDBA privileged account these

> values are visible; any non-SYSDBA account should not have access to

> such information, which may be a result of the Sarbanes-Oxley Act.  Of

> course it is questinoable whether *anyone* should have access to

> plaintext account passwords, and I would have expected Oracle to

> maintain their policy of only storing hashed passwords in the data

> dictionary.  Apparently they had a valid reason for having such views,

> but I cannot understand what that reason could be.


>
>




> David FItzjarrell




Ah, "I see", said the blind man.   So they do.  Am I right to assume
that this restriction is hard-coded into the product, much like the
recognition of 'as sysdba' on login?  I would think if it were
implemented as a grantable right, it could easily be overridden.
Received on Fri Sep 02 2005 - 16:14:19 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US