| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle9i/AIX5.2: multiple sys (sysdba) passwords Question
Alvaro Fuentes <alvarof2_at_hotmail.com> wrote in message news:<ccsag4$gh2$1_at_ausnews.austin.ibm.com>...
> David Fitzjarrell wrote:
>
> > "Alvaro Fuentes" <alvarof2_at_hotmail.com> wrote in message news:ccs0ru$dh4$1_at_ausnews.austin.ibm.com...
> >
> >>Sybrand Bakker wrote:
> >>
> >>>On Sun, 11 Jul 2004 08:31:34 GMT, "A. Fuentes" <alvarof2_at_hotmail.com>
> >>>wrote:
> >>>
> >>>
> >>>
> >>>>Fellow Oracle users:
> >>>>
> >>>>I am running Oracle 9.2.0.2 on AIX 5.2.
> >>>>
> >>>>I did
> >>>>
> >>>>rm $ORACLE_HOME/dbs/orapw
> >>>>
> >>>>Thereafter I did, as the oracle:dba AIX user:
> >>>>
> >>>>orapwd file=$ORACLE_HOME/dbs/orapw password=changed entries=30
> >>>>
> >>>>(the orapwd command executed OK, no error returned),
> >>>>and I can authenticate not only by running:
> >>>>
> >>>>sqlplus sys/"changed as sysdba"
> >>>>
> >>>>but with some other passwords.
> >>>>
> >>>>How is this possible? (Shouldn't the password "changed" be unique and the
> >>>>only one for sys (as sysdba)?
> >>>>
> >>>>Any light on this issue will be greatly appreciated.
> >>>>
> >>>>
> >>>>Best,
> >>>>
> >>>>A. Fuentes
> >>>>512-297-9937
> >>>>
> >>>>
> >>>
> >>>If you are on the server doing this and you installed the Oracle files
> >>>are owned by the Unix group dba, yes: you can use anything to
> >>>connect, by design. On Unix platforms all users in the dba group have
> >>>SYSDBA privilege, by design.
> >>>Right now, you have several options:
> >>>- Make sure the Oracle password can't be guessed
> >>>- Remove all other users from the dba group
> >>>- If you still think there are people who will misuse the Oracle
> >>>account, make sure they are fired.
> >>>
> >>>And of course, this is documented in the installation manual no one
> >>>cares to read.
> >>>
> >>>
> >>>--
> >>>Sybrand Bakker, Senior Oracle DBA
> >>
> >>
> >>But in this situation, is NOT that several users in
> >>the dba group can connect as sysdba. Oracle is the ONLY
> >>user in the dba group and SYS is the ONLY user with SYSDBA
> >>grant.
> >>
> >>This situation refers to SYS as SYSDBA being able to use
> >>other password different that the one set by the command
> >>orapwd.
> >>
> >>Again any light on this issue greatly appreciated.
> >>
> >>
> >>A. Fuentes
> >>512-297-9937
> >>
> >
> >
> > Sybrand has already explained this to you, however I shall do it
> > again:
> >
> > The Oracle user on a UNIX/Linux system is a member of the dba group;
> > ANY member of this group can connect to sys as sysdba with,
> > apparently, ANY PASSWORD THEY CHOOSE. I state APPARENTLY as O/S
> > authentication is being used to grant access as SYS AS SYSDBA. Try
> > this as any other O/S user and you'll soon find out that there ARE NOT
> > multiple passwords for SYS AS SYSDBA, only one, the one you've set.
> > What you're seeing is probably this:
> >
> > $ su - oracle
> > Password:
> > $ sqlplus /nolog
> > ....
> >
> > SQL> connect "sys/whatever_i_want_to_type_here as sysdba"
> > Connected.
> > SQL>
> >
> > Or:
> >
> > $ su - oracle
> > Password:
> > $ sqlplus /nolog
> > ....
> >
> >
> > SQL> connect sys as sysdba
> > Password: i_type_anything_here_and_it_works
> > Connected.
> >
> > This is documented, and intended, behaviour. As Oracle you should be
> > connecting in this manner:
> >
> > $ su - oracle
> > Password:
> > $ sqlplus /nolog
> > ....
> >
> >
> > SQL> connect / as sysdba
> > Connected.
> > SQL>
> >
> > As the Oracle O/S user you are authenticated through the O/S since
> > you're a member of the dba group, making a password unnecessary if you
> > connect locally. THIS does NOT mean there is no password for SYS AS
> > SYSDBA, or that there are multiple passwords for this privileged
> > account. No account in an Oracle database may have any more than ONE
> > password, and this includes SYS AS SYSDBA. Remote connections as SYS
> > AS SYSDBA will require the CORRECT password unless you have a secure
> > connection to the database server. There is only ONE correct password
> > in such cases, as you'll find out when you attempt to connect from a
> > machine other than the database server.
> >
> > You've had PLENTY of light shed on this "issue", which is NOT an issue
> > at all. I would read the responses again, and, if these don't give
> > you any clue I'd start reading the documentation, starting here:
> >
> > http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96521/dba.htm#11049
> >
> > If the documentation doesn't shed the proper amount of light on this,
> > possibly you need to seriously think about hiring a qualified Oracle
> > DBA.
> >
> > David Fitzjarrell
>
>
> I like to think as this being a friendly forum
> where the Oracle newbie can ask NEWBIE questions.
> despite some harsh answers.
>
> Hopefully that won't change because of the few
He was fired from AMR/SABER because of his attitude! nothing really changed! I heard he pointed a double barrel shotgun and shot his comrades and then he jumped from the fourth floor; shot his wife and kids; went to jail for few years; joined the white resistence.
This group used to friendly! America used to be a great place since the founding fathers;
David Fitzjarrel killed the USAirways project; Nasdaq, US economy and ..... Received on Mon Jul 12 2004 - 05:07:12 CDT
 |
 |