Re: Oracle equivalent to unix 'su - username'... connecting as someone else

On Wed, 02 Sep 1998 13:55:51 GMT, Thomas Kyte <tkyte_at_us.oracle.com> wrote:
>A copy of this was sent to jared_at_pandora.planet.net (Jared Hecker)
>(if that email address didn't require changing)
>On 1 Sep 1998 19:04:19 GMT, you wrote:
>
>>One would want to connect as a non-dba to do things like grant object
>>privileges on objects the non-dba owns to others.
>>
>>
>>landmass_at_iname.com wrote:
>>: Easiest way, is to look at the dba_users table, which holds an encrypted
>>: version of the password. If you do a "select username, password from
>>: dba_users where user_name = '????';", and then save this to a file - DO NOT
>>: DELETE IT. You can then use the 'alter user xxxx identified by yyyy;'
>>: statement to change the users password to something that you know.... When
>>: you have finished, you can change it back to its previous value: alter user
>>: xxxxx identified by values '<paste password string from file here>';
>>
>>Really?? Must try this, I didn't know this was a consistent cypher.
>>Rather defeats the purpose of encrypting the password, though.
>>
>
>why does it defeat the purpose of DIGESTING (not encrypting) the password?
>
>the password is *not* encrypted -- its a one way digest.
>
>If the user SCOTT uses the password TIGER -- it will hash to the same string of
>characters consistently on all platforms (so we can move a password for a user
>from one system to another without having to know the password).
>
>If the user BOB users the password TIGER -- it will hash to ANOTHER string but
>consistently to that other string for BOB on all platforms.
>
>Check out your /etc/shadow or /etc/passwd file on unix sometime -- you can move
>it from machine to machine (given the same OS and hardware architecture) and
>have the passwords move with you -- it works the same way. I copy unix
>passwords for people from machine to machine this way all of the time. The
>passwords are one way digests, very safe. Just because you have the digest
>doesn't mean you have the password.

[Quoted] Yes, but on unix you can't connect as user oracle identified by X4I0FKpJGZaNw. [Quoted] su does require a password if you are not root. The security for Oracle [Quoted] just gets shifted to OS protecting files the password (or it's digest) is in, and the way most people work they eventually miss this (like in full exports). [Quoted] Not that I'm complaining, this has allowed me to hack, er, heroically fix a number of situations I've walked into cold. The problem is just most people expect "typical" password security, and as you've pointed out, it's not. [Quoted] A semantics problem based on the history of passwording, I'd say. Oracles way is more like sudo minus the accountability (which is the point of sudo).

>
>>Regards,
>>jh
>
>
>Thomas Kyte
>tkyte_at_us.oracle.com
>Oracle Government
>Herndon VA
>
>--
>http://govt.us.oracle.com/ -- downloadable utilities
>
>----------------------------------------------------------------------------
>Opinions are mine and do not necessarily reflect those of Oracle Corporation
>
>Anti-Anti Spam Msg: if you want an answer emailed to you,
>you have to make it easy to get email to you. Any bounced
>email will be treated the same way i treat SPAM-- I delete it.

jg

-- 
These opinions are my own and not necessarily those of Information Quest or 
Pebble In The Sky http://www.informationquest.com mailto:jgarry_at_nospameiq.com
http://ourworld.compuserve.com/homepages/joel_garry   Remove nospam to reply.  
mailto:joel_garry_at_compuserve.nospam.com  "See your DBA?"  I AM the @#%*& DBA!