Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: sys password

Re: sys password

From: Yosi Greenfield <yosi_at_newsalert.com>
Date: Thu, 15 Jul 1999 15:10:25 -0400
Message-ID: <378E3221.ED6823D5@newsalert.com> 





Anurag,



The connect role does not allow anyone to change any password. It merealy
grants the 'create session' privilege, that is, to connect to the database. The
dba role does allow to change ANY password. Any user with dba privileges is
equivalent with any other user.



As mentioned, the 'super-user' concept is not usually mentioned in connection
with SYS. The super-user is any user granted the dba role (or, technically, dba
privileges without that role...). SYS simply owns the data dictionary, and so
carries the greatest potential to directly destroy your database;



HTH,


Yosi



Sybrand Bakker wrote:



> Hi Anurag,


> Here's the story: the connect, resource and dba privileges in Oracle 6 were


> replaced by connect, resource and dba roles (containing much more granular


> privileges) in Oracle 7.


> They were retained for backwards compatibility and officially they are


> obsolete.


> But .... everyone still uses them.


> The problem here is the alter user privilege, that has been granted to the


> connect role (from the top of my head).


> This can be used to change any password including that of sys. Why on earth


> Oracle allows that I don't know.


> Morale: The only option is to get away from connect, resource, and dba and


> grant the more granular privileges


> like create any table, create any procedure etc only.


> Obviously, I too would like to know why an user with alter user privilege


> can change the sys password, which can result in sys loosing it's sysdba


> privileges (if remote_login_passwordfile = shared in init.ora and the sys


> password and the internal password differ, then sys is unable to connect as


> sysdba)


>


> Hth,


>


> Sybrand Bakker, Oracle DBA


>


> Anurag Minocha <anurag_at_synergy-infotech.com> wrote in message


> news:378DB801.E60B8340_at_synergy-infotech.com...


> > Hi,


> > I have a user with dba,resource and connect roles. The problem is that


> > he is able to change the sys password. How can i prevent this. Is this


> > because of the dba role.If yes then why is the sys called the super user


> > if the password can be changed fromn dba.


> >


> >


> > anurag


> >



Received on Thu Jul 15 1999 - 14:10:25 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US