| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: something magic about SYS.LINK$ ?
Terry Dykstra wrote:
> I could have sworn that in 8.0 the password in link$ showed encrypted. I
> don't have access to Metalink doc id Note 202987.1 which discusses this in
> more detail.
> BTW, user_history$ shows encrypted password.
>
>
> --
> Terry Dykstra
> Canadian Forest Oil Ltd.
>
>
> <fitzjarrell_at_cox.net> wrote in message
> news:1125687665.449388.111820_at_g43g2000cwa.googlegroups.com...
> >
> > EdStevens wrote:
> > > Maxim Demenko wrote:
> > > > EdStevens schrieb:
> > > > > Oracle 9.2.0.7.0 on Win2003
> > > > >
> > > > > Stumbled on to this, and don't have an explanation:
> > > > >
> > > > > Connected as SYSTEM, with the standard, out-of-the-box DBA role:
> > > > >
> > > > > system_at_NPSTDB.WORLD> select count(*) from sys.link$;
> > > > > select count(*) from sys.link$
> > > > > *
> > > > > ERROR at line 1:
> > > > > ORA-01031: insufficient privileges
> > > > >
> > > > > A little further hunting shows that there are only 2 of the sys.$
> > > > > tables that this happens on ... SYS.LINK$ and SYS.USER_HISTORY$
> > > > >
> > > > >
> > > > > ???
> > > > >
> > > >
> > > > Maybe issue of O7_dictionary_accessibility ? If set to FALSE, all
> tables
> > > > owned by SYS must be granted explicitly ( select any table combined
> with
> > > > select any dictionary are not sufficient ).
> > > >
> > > > Best regards
> > > >
> > > > Maxim
> > >
> > > Well, O7_dictionary_accessibility = false, but if that were the issue,
> > > I shouldn't be able to get any of the sys.%$ tables, right?
> > >
> > > C:\>sqlplus system_at_npsp9
> > >
> > > SQL*Plus: Release 9.2.0.1.0 - Production on Fri Sep 2 13:01:52 2005
> > >
> > > Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
> > >
> > > Enter password:
> > >
> > > Connected to:
> > > Oracle9i Release 9.2.0.7.0 - Production
> > > JServer Release 9.2.0.7.0 - Production
> > >
> > > SQL>
> > > SQL> show parameter O7
> > >
> > > NAME TYPE VALUE
> > > ------------------------------------ -----------
> > > ------------------------------
> > > O7_DICTIONARY_ACCESSIBILITY boolean FALSE
> > >
> > >
> > > SQL> select table_name
> > > 2 from dba_tab_privs
> > > 3 where owner='SYS'
> > > 4 and grantee='SYSTEM'
> > > 5 and table_name like '%$'
> > > 6 /
> > >
> > > no rows selected
> > >
> > > SQL> select count(*) from sys.link$;
> > > select count(*) from sys.link$
> > > *
> > > ERROR at line 1:
> > > ORA-01031: insufficient privileges
> > >
> > >
> > > SQL> select count(*) from sys.access$;
> > >
> > > COUNT(*)
> > > ----------
> > > 10258
> > >
> > > There's no difference in ownership or object privileges between
> > > sys.link$ and sys.access$. I'm sure I'm overlooking something, but
> > > what?
> >
> > The fact that SYS.LINK$ and SYS.USER_HISTORY$ both contain plaintext
> > passwords for the accounts. With a SYSDBA privileged account these
> > values are visible; any non-SYSDBA account should not have access to
> > such information, which may be a result of the Sarbanes-Oxley Act. Of
> > course it is questinoable whether *anyone* should have access to
> > plaintext account passwords, and I would have expected Oracle to
> > maintain their policy of only storing hashed passwords in the data
> > dictionary. Apparently they had a valid reason for having such views,
> > but I cannot understand what that reason could be.
> >
> >
> > David FItzjarrell
> >
As I have no records in USER_HISTORY$ I shall take your word on the password column. I will state LINK$ does contain plaintext passwords however I will not display the contents of the table here for obvious reasons. I presumed since LINK$ contained plaintext passwords, and LINK$ and USER_HISTORY$ are the lone rejects to SYSTEM access, they both contained plaintext password fields.
David Fitzjarrell Received on Fri Sep 02 2005 - 16:30:13 CDT
 |
 |