Return-Path: Received: from ensim.rackshack.net (root@localhost) by orafaq.net (8.11.6/8.11.6) with ESMTP id h7I5CJr12869 for ; Mon, 18 Aug 2003 00:12:19 -0500 X-ClientAddr: 66.27.56.212 Received: from www3.fatcity.com (rrcs-west-66-27-56-212.biz.rr.com [66.27.56.212]) by ensim.rackshack.net (8.11.6/8.11.6) with ESMTP id h7I5CIp12864 for ; Mon, 18 Aug 2003 00:12:19 -0500 Received: (from root@localhost) by www3.fatcity.com (8.11.6/8.11.6) id h7I2jVH04002 for oracle-l@orafaq.net; Sun, 17 Aug 2003 19:45:31 -0700 Received: by fatcity.com (05-Jun-2003/v1.0g-b73/bab) via fatcity.com id 005CB395; Sun, 17 Aug 2003 19:39:24 -0800 Message-ID: Date: Sun, 17 Aug 2003 19:39:24 -0800 To: Multiple recipients of list ORACLE-L X-Comment: Oracle RDBMS Community Forum X-Sender: Tim Gorman Sender: ml-errors@fatcity.com Reply-To: ORACLE-L@fatcity.com Errors-To: ML-ERRORS@fatcity.com From: Tim Gorman Subject: Re: Oracle 9i and connect as sys Organization: Fat City Network Services, San Diego, California X-ListServer: v1.0g, build 73; ListGuru (c) 1996-2003 Bruce A. Bergman Precedence: bulk Mime-Version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Babette, This is how database security unravels. Pretty soon, the password to SYS is embedded everywhere, used everywhere, and everyone knows it. Thus, the DBA ends up with the pager and responsibility for fixing stuff, but everyone else can cause that pager to go off with a stupid goof at 3:00am where they shouldn't have been able to goof up. It sounds like the patching utility only needs a couple privileges, but instead all of the goddess-like privileges of SYS are provided. Pretty soon, it seems normal for people and programs to connect as SYS on a regular basis. And so it goes... A couple alternatives: * use 9i "GRANT ANY OBJECT PRIVILEGE" to let another account have an incredible amount of authority, which is OK if you don't know exactly what permissions will be needed ahead of time... * grant specific permissions WITH GRANT OPTION to another user, a more focused approach than the shotgun "GRANT ANY OBJECT PRIVILEGE" approach, provided you know what permissions will be needed ahead of time. This has been around forever... * encapsulate such actions within a stored procedure owed by SYS, which may seem cumbersome but allows all kinds of control. Not just "who can do what" (which is basically what permissions and roles provide), but also "during what time", "from where", "from what program", "from what location", etc... Just this Friday, I was wrapping up an installation engagement and one of the last things we did was change all the passwords. Standard practice. Immediately, one of the development managers comes boiling out of his office screaming "Who changed the passwords to SYS and SYSTEM?". I 'fessed up and asked him why he thought he needed it. He turned red and snarled that he just needed it and never you mind, turned on his heel and went in the CIO's office, then came boiling back with approval. We turned it over, and within 5 minutes I logged back onto the system and saw SQL*Plus running with the SYS/SYSTEM password visible to anyone and everyone who can run the UNIX "ps" command. I looked at the scripts he was running, noticed that all he wanted SYS/SYSTEM for was to create PUBLIC SYNONYMs. I left to catch my plane... Hope this helps... -Tim on 8/17/03 6:09 PM, Babette Turner-Underwood at babette@rogers.com wrote: > Tim / Peter / Michael > > Thanks for the information. I was afraid of that. > We have a patching mechanism and need to logon as > sys to grant access to sys objects for part of > the process. (to grant select on sys.dba_free_space > and execute on sys.dbms_util). > > However, the patching mechanism only does a regular > connect and not "as sysdba"--- DARN! - Will have to > change automation scripts if we upgrade ... and I was > hoping this would be easy to slide in :-( > > - Babette > > -----Original Message----- > Tim Gorman > Sent: Sunday, August 17, 2003 1:09 AM > To: Multiple recipients of list ORACLE-L > > > It's a 9i thing, across all platforms. > > > > on 8/16/03 9:29 PM, Babette Turner-Underwood at babette@rogers.com wrote: > >> >> I have created my first 9i database on OS/390 v2.10. >> >> On my Oracle 8i instance, I can connect to the database >> using: >> >> sys/sys_password@the_instance >> >> HOWEVER, In Oracle 9i, I cannot do this. I am FORCED >> >> to connect using: >> sys/password_from_orapwd@the_instance as sysdba >> >> I was wondering if this was a new 9i "feature" >> or if it was configurable? Or just a weird thing >> because of the mainframe environment. >> >> Comments please. >> >> Thanks in Advance >> - Babette -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Tim Gorman INET: tim@sagelogix.com Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru@fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).