RE: Requirement to run as user SYS

• From: "Hollis, Les" <Les.Hollis@xxxxxx>
• To: "Nick Tilbury @ Northampton" <ntilbury@xxxxxxxxxxxx>, <barb.baker@xxxxxxxxx>, <oracle-l@xxxxxxxxxxxxx>
• Date: Thu, 9 Dec 2004 10:24:31 -0600

Agree 100% Nick about 'trust'...but as my earlier post says...you CAN
still get in as SYS just by using / as sysdba and do anythong you dang
wll please INCLUDING unlocking  SYS...     8~)

-----Original Message-----
From: Nick Tilbury @ Northampton [mailto:ntilbury@xxxxxxxxxxxx]=20
Sent: Thursday, December 09, 2004 10:07 AM
To: Hollis, Les; barb.baker@xxxxxxxxx; oracle-l@xxxxxxxxxxxxx
Subject: RE: Requirement to run as user SYS

I just don't understand the logic of this decision. No applications host
their objects in the Sys schema.
Therefore, it is normally the login for the application owner schema(s)
that
are infinitely more
important (to the business) than SYS.
If the DBA REALLY wanted to damage an *application* I'm confident it
could
be done without SYS access.
Ergo - if the DBA can't be trusted, he shouldn't have the job in the
first
place !

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx]On Behalf Of Hollis, Les
Sent: 09 December 2004 15:55
To: barb.baker@xxxxxxxxx; oracle-l@xxxxxxxxxxxxx
Subject: RE: Requirement to run as user SYS


Now that has got to be one of the most ridiculous management decisions I
have ever heard......

By "disable" I am assuming you mean to change the password or 'lock' the
account.


As a DBA you can still get in using / as sysdba  which enables you to do
anything you want.  It actually still dumpos you in as SYS.

I tested on one of my 9i DB's.  Locked the user sys account, exited,
logged in   '/ as sysdba',   did a shutdown/startup  and executed this
command....


SQL> show user
USER is "SYS"
SQL>


THIS AFTER I locked the account......



Select * from dba_users where username =3D3D 'SYS';  returned this


------------------------------------------------------------------------
--
SYS                                     0 D4C5016086B2DC6A
LOCKED                           09-DEC-2004
SYSTEM                         TEMP
16-NOV-2004
DEFAULT                        SYS_GROUP


As you see it shows locked...but you are still sys....


Oh well.....I guess if it makes the idiot auditors happy to think they
found something on you and spineless management leaped through hoops to
appease them, I suppose it isn't ALL that terribly bad...you can STILL
log in as SYS using / as sysdba         whisper whisper....just don't
tell the auditors



It's all good   8~))


-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Barbara Baker
Sent: Thursday, December 09, 2004 9:35 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: Re: Requirement to run as user SYS

 Thanks, Dick.  I really appreciate your responses.
 It's a double-whammy.  We got "written up" by the auditors for using
 the SYS account, so management's response is that we just disable it.
 < sigh . . . >

> On Thu, 9 Dec 2004 09:24:48 -0500, Goulet, Dick <DGoulet@xxxxxxxx>
wrote:
> > Barb,
> >
> >        I'll feel sorry for you for sure.  You've got one VERY
ignorant
> > auditor breathing down your throat and a management team that is
equally
> > ignorant and uncaring for letting this happen.  At least our
auditors
> > were savvy enough to know that SYS is a special account that we need
&
> > don't use excessively and left it out of their questions.
> >
--
http://www.freelists.org/webpage/oracle-l
--
http://www.freelists.org/webpage/oracle-l


=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D
This message is intended solely for the use of the individual or
organisation to whom it is addressed.  It may contain privileged or
confidential information.  If you have received this message in error,
please notify the originator immediately.  If you are not the intended
recipient, you should not use, copy, alter, or disclose the contents of
this message.  All information or opinions expressed in this message
and/or any attachments are those of the author and are not necessarily
those of VarTecTelecom Europe Ltd or its affiliates. VarTec Telecom
Europe Ltd accepts no responsibility for loss or damage arising from its
use, including damage from virus.=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D

--
http://www.freelists.org/webpage/oracle-l

• » Re: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » Re: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription