Re: sysdba

From: Hans Forbrich <fuzzy.graybeard@xxxxxxxxx>
To: oracle-l@xxxxxxxxxxxxx
Date: Thu, 16 Oct 2014 15:19:10 -0600

On 16/10/2014 11:41 AM, Joshua Collier wrote:

I am not sure I understand why this user can connect as sysdba withouthaving been explicitly granted the SYSDBA power? Is it because I amlogged on to the server as Oracle? Is there a machine setting tochange this? documentation is proving sparse on this subject, or mygooglefoo has been found lacking.

You are observing the exact reason why many of us have been trying toget people to stop logging on (or su'ing) to the machine as user'oracle' ... for years now.

There is a strange combination of things going on under you. First, youare logging on as SYSDBA which bypasses Oracle's regular authentication- it needs to be able to authenticate even when the database is notrunning. As a result, many of us set up ORAPW files.


http://docs.oracle.com/cd/E11882_01/server.112/e25494/dba.htm#ADMIN11047

Second, and in part because you are using SYSDBA, you end up using OSAuthentication.


http://docs.oracle.com/cd/E11882_01/server.112/e25494/dba.htm#ADMIN11052

When logged on to s/w owner with OS Authentication, and you specificallyrequested SYSDBA or SYSOPER (and SYSKM, SYSBACKUP, SYSDG in 12c) you canuse any password you want, and even any user you want, because theOracle user/password will be ignored.


Try your test again from OS user 'oracle' using

     sqlplus blah/blah2 as sysdba

and observe what happens.

Now create a new user 'blah' at the OS level and ensure that user ispart of the sysdba group.


      adduser -G dba blah

SU to that user and try that sqlplus again. That is the effect of OSauthentication against system-privs.



/Hans

References:
- sysdba
  - From: Joshua Collier

Re: sysdba

Other related posts: