RE: Requirement to run as user SYS

  • From: "Reidy, Ron" <Ron.Reidy@xxxxxxxxxxxxxxxxxx>
  • To: <ntilbury@xxxxxxxxxxxx>, <Les.Hollis@xxxxxx>, <barb.baker@xxxxxxxxx>, <oracle-l@xxxxxxxxxxxxx>
  • Date: Thu, 9 Dec 2004 09:27:22 -0700

I agree.  But when you have auditors who scare the snot out of =
ill-informed management, this is the result.  In our case, we defined in =
our initial documents the power of the SYS account (and accounts with =
SYSDBA), described and implemented an auditing process for these =
accounts, and remediation for misuse (i.e. non authorized (DBA staff) =
access or attempts to access).  No problem with our auditors, so far.

Ron Reidy
Lead DBA
Array BioPharma, Inc.

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx]On Behalf Of Nick Tilbury @
Sent: Thursday, December 09, 2004 9:07 AM
To: 'Les.Hollis@xxxxxx'; barb.baker@xxxxxxxxx; oracle-l@xxxxxxxxxxxxx
Subject: RE: Requirement to run as user SYS

I just don't understand the logic of this decision. No applications host
their objects in the Sys schema.
Therefore, it is normally the login for the application owner schema(s) =
are infinitely more
important (to the business) than SYS.
If the DBA REALLY wanted to damage an *application* I'm confident it =
be done without SYS access.
Ergo - if the DBA can't be trusted, he shouldn't have the job in the =
place !

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx]On Behalf Of Hollis, Les
Sent: 09 December 2004 15:55
To: barb.baker@xxxxxxxxx; oracle-l@xxxxxxxxxxxxx
Subject: RE: Requirement to run as user SYS

Now that has got to be one of the most ridiculous management decisions I
have ever heard......

By "disable" I am assuming you mean to change the password or 'lock' the

As a DBA you can still get in using / as sysdba  which enables you to do
anything you want.  It actually still dumpos you in as SYS.

I tested on one of my 9i DB's.  Locked the user sys account, exited,
logged in   '/ as sysdba',   did a shutdown/startup  and executed this

SQL> show user

THIS AFTER I locked the account......

Select * from dba_users where username =3D3D 'SYS';  returned this

SYS                                     0 D4C5016086B2DC6A
LOCKED                           09-DEC-2004
SYSTEM                         TEMP
DEFAULT                        SYS_GROUP

As you see it shows locked...but you are still sys....

Oh well.....I guess if it makes the idiot auditors happy to think they
found something on you and spineless management leaped through hoops to
appease them, I suppose it isn't ALL that terribly can STILL
log in as SYS using / as sysdba         whisper whisper....just don't
tell the auditors

It's all good   8~))

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Barbara Baker
Sent: Thursday, December 09, 2004 9:35 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: Re: Requirement to run as user SYS

 Thanks, Dick.  I really appreciate your responses.
 It's a double-whammy.  We got "written up" by the auditors for using
 the SYS account, so management's response is that we just disable it.
 < sigh . . . >

> On Thu, 9 Dec 2004 09:24:48 -0500, Goulet, Dick <DGoulet@xxxxxxxx>
> > Barb,
> >
> >        I'll feel sorry for you for sure.  You've got one VERY
> > auditor breathing down your throat and a management team that is
> > ignorant and uncaring for letting this happen.  At least our
> > were savvy enough to know that SYS is a special account that we need
> > don't use excessively and left it out of their questions.
> >

This message is intended solely for the use of the individual or =
organisation to whom it is addressed.  It may contain privileged or =
confidential information.  If you have received this message in error, =
please notify the originator immediately.  If you are not the intended =
recipient, you should not use, copy, alter, or disclose the contents of =
this message.  All information or opinions expressed in this message =
and/or any attachments are those of the author and are not necessarily =
those of VarTecTelecom Europe Ltd or its affiliates. VarTec Telecom =
Europe Ltd accepts no responsibility for loss or damage arising from its =
use, including damage from virus.=20


This electronic message transmission is a PRIVATE communication which =
information which may be confidential or privileged. The information is =
to be for the use of the individual or entity named above. If you are =
not the=20
intended recipient, please be aware that any disclosure, copying, =
or use of the contents of this information is prohibited. Please notify =
sender  of the delivery error by replying to this message, or notify us =
telephone (877-633-2436, ext. 0), and then delete it from your system.


Other related posts: