Re: Users identified by passwd may also be identified externally

Alain.Viret_at_ls.ubs.ubs.ch (Alain VIRET) writes:

:With Oracle 7.0.15.4 (Solaris 2.3), when we define an user with the command:
:create user toto identified by titi
:If an Unix toto exist, it may execute sqlplus / and enters in the
:database.
 

:With another instance and version (7.0.16.x), with the same command
:of the user's creation, the user Unix toto may not enters in the
:database without giving its password (titi in the example).
 

:Is it a bug or a known feature or a different parameter ?

None of the above. The behaviour was changed in 7.0.16, and is documented in the README files for that release. There is considerable difference of opinion as to whether or not this was a Good Thing to Do.

For more specifics, read the documentation on the use of the OPS$ parameter.

Security concerns such as this were raised at several of the 'Ask Oracle' sessions at IOUW last week, and although Oracle acknowledges them it isn't clear that they have good solutions worked out yet. As Oracle moves more into the client/server arena with its CDE-2 toolkit, these problems will get worse rather then better, too.

---
Michael Nolan, Sysop for the DBMS RoundTable on GEnie
nolan_at_notes.tssi.com, dbms_at_genie.geis.com
(posted from nolan_at_helios.unl.edu)