Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: sysdba privileges and shutdown

Re: sysdba privileges and shutdown

From: Sybrand Bakker <gooiditweg_at_nospam.demon.nl>
Date: Fri, 07 Mar 2003 19:26:26 +0100
Message-ID: <nsoh6v0ip1qvoriv0edqibc5vo9idvenlu@4ax.com> 





On Fri, 7 Mar 2003 17:10:07 -0000, "Niall Litchfield"
<n-litchfield_at_audit-commission.gov.uk> wrote:



>"Rachel Wilson" <wilsonr_at_logica.com> wrote in message

>news:936259dc.0303070841.2cf8a6cf_at_posting.google.com...

>> i am also wondering why the unix group of dba is allowed sysdba rights

>> as a matter of course - is this not a bit of a security risk?

>

>I'll let others answer the rest of this but here's my tuppence on the above.

>

>1. the dba group is only allowed sysdba rights if remote_login_password_file

>is not set to exclusive (IIRC). If it is set to exclusive you'd need to

>supply a password file. and

>2. You only allow DBA's into the DBA os group surely. If your DBAs are a

>security risk you have real problems.





Just to set things straight, adding to the answer of Tanel



remote_login_passwordfile = none (the default)
only internal (/ as sysdba) has sysdba privilege, SYS doesn't have
sysdba privilege (this has changed in 9i)
remote_login_passwordfile = shared: internal and SYS have sysdba
privilege. This means *remote* connections on a client system could
get privilege when connecting as SYS as sysdba
remote_login_passwordfile=exclusive:


ANY user, provided explicitly granted, can have SYSDBA privilege



Regards




Sybrand Bakker, Senior Oracle DBA



To reply remove -verwijderdit from my e-mail address
Received on Fri Mar 07 2003 - 12:26:26 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US