RE: Requirement to run as user SYS

• From: Kip.Bryant@xxxxxxxxxx
• To: DGoulet@xxxxxxxx
• Date: Thu, 09 Dec 2004 10:01:03 -0800

And it's not uncommon for them to work from "cookbook" instructions and not
really know anything about Oracle.  I actually had one that was testing to make
sure no default passwords were in use (ok.  no problem.) but he included
"internal" as an account to test (8.1.7.4 DB).  Dang.  "sqlplus internal"
logged right in without a password.  We must have a crisis...I guess I must
have been really stupid to let this "testing" happen at the OS level in the 
oracle admin account (we don't allow ODBC access).  Got out of it by
demonstrating failure to log in to "internal" from an account that wasn't in 
the correct unix group.

Kip

|Of course no auditor trusts anyone, including themselves, thanks to SOX.



|Dick Goulet
|Senior Oracle DBA
|Oracle Certified 8i DBA
|-----Original Message-----
|From: Reidy, Ron [mailto:Ron.Reidy@xxxxxxxxxxxxxxxxxx]=20
|Sent: Thursday, December 09, 2004 11:27 AM
|To: ntilbury@xxxxxxxxxxxx; Les.Hollis@xxxxxx; barb.baker@xxxxxxxxx;
|oracle-l@xxxxxxxxxxxxx
|Subject: RE: Requirement to run as user SYS

|I agree.  But when you have auditors who scare the snot out of =3D
|ill-informed management, this is the result.  In our case, we defined in
|=3D
|our initial documents the power of the SYS account (and accounts with =
|=3D
|SYSDBA), described and implemented an auditing process for these =3D
|accounts, and remediation for misuse (i.e. non authorized (DBA staff) =
|=3D
|access or attempts to access).  No problem with our auditors, so far.

|-----------------
|Ron Reidy
|Lead DBA
|Array BioPharma, Inc.


|-----Original Message-----
|From: oracle-l-bounce@xxxxxxxxxxxxx
|[mailto:oracle-l-bounce@xxxxxxxxxxxxx]On Behalf Of Nick Tilbury @
|Northampton
|Sent: Thursday, December 09, 2004 9:07 AM
|To: 'Les.Hollis@xxxxxx'; barb.baker@xxxxxxxxx; oracle-l@xxxxxxxxxxxxx
|Subject: RE: Requirement to run as user SYS


|I just don't understand the logic of this decision. No applications host
|their objects in the Sys schema.
|Therefore, it is normally the login for the application owner schema(s)
|=3D
|that
|are infinitely more
|important (to the business) than SYS.
|If the DBA REALLY wanted to damage an *application* I'm confident it =3D
|could
|be done without SYS access.
|Ergo - if the DBA can't be trusted, he shouldn't have the job in the =3D
|first
|place !

|-----Original Message-----
|From: oracle-l-bounce@xxxxxxxxxxxxx
|[mailto:oracle-l-bounce@xxxxxxxxxxxxx]On Behalf Of Hollis, Les
|Sent: 09 December 2004 15:55
|To: barb.baker@xxxxxxxxx; oracle-l@xxxxxxxxxxxxx
|Subject: RE: Requirement to run as user SYS


|Now that has got to be one of the most ridiculous management decisions I
|have ever heard......

|By "disable" I am assuming you mean to change the password or 'lock' the
|account.


|As a DBA you can still get in using / as sysdba  which enables you to do
|anything you want.  It actually still dumpos you in as SYS.

|I tested on one of my 9i DB's.  Locked the user sys account, exited,
|logged in   '/ as sysdba',   did a shutdown/startup  and executed this
|command....


|SQL> show user
|USER is "SYS"
|SQL>


|THIS AFTER I locked the account......



|Select * from dba_users where username =3D3D3D 'SYS';  returned this


|------------------------------------------------------------------------
|--
|SYS                                     0 D4C5016086B2DC6A
|LOCKED                           09-DEC-2004
|SYSTEM                         TEMP
|16-NOV-2004
|DEFAULT                        SYS_GROUP


|As you see it shows locked...but you are still sys....


|Oh well.....I guess if it makes the idiot auditors happy to think they
|found something on you and spineless management leaped through hoops to
|appease them, I suppose it isn't ALL that terribly bad...you can STILL
|log in as SYS using / as sysdba                whisper whisper....just don't
|tell the auditors



|It's all good   8~))


|-----Original Message-----
|From: oracle-l-bounce@xxxxxxxxxxxxx
|[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Barbara Baker
|Sent: Thursday, December 09, 2004 9:35 AM
|To: oracle-l@xxxxxxxxxxxxx
|Subject: Re: Requirement to run as user SYS

| Thanks, Dick.  I really appreciate your responses.
| It's a double-whammy.  We got "written up" by the auditors for using
| the SYS account, so management's response is that we just disable it.
| < sigh . . . >

|> On Thu, 9 Dec 2004 09:24:48 -0500, Goulet, Dick <DGoulet@xxxxxxxx>
|wrote:
|> > Barb,
|> >
|> >        I'll feel sorry for you for sure.  You've got one VERY
|ignorant
|> > auditor breathing down your throat and a management team that is
|equally
|> > ignorant and uncaring for letting this happen.  At least our
|auditors
|> > were savvy enough to know that SYS is a special account that we need
|&
|> > don't use excessively and left it out of their questions.
|> >
|--
|//www.freelists.org/webpage/oracle-l
|--
|//www.freelists.org/webpage/oracle-l


|=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D=
|3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
|=3D3D=3D
|=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D=
|3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
|=3D3D=3D
|=3D3D=3D3D=3D3D=3D3D=3D3D
|This message is intended solely for the use of the individual or =3D
|organisation to whom it is addressed.  It may contain privileged or =3D
|confidential information.  If you have received this message in error, =
|=3D
|please notify the originator immediately.  If you are not the intended =
|=3D
|recipient, you should not use, copy, alter, or disclose the contents of
|=3D
|this message.  All information or opinions expressed in this message =3D
|and/or any attachments are those of the author and are not necessarily =
|=3D
|those of VarTecTelecom Europe Ltd or its affiliates. VarTec Telecom =3D
|Europe Ltd accepts no responsibility for loss or damage arising from its
|=3D
|use, including damage from virus.=3D20
|=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D=
|3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
|=3D3D=3D
|=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D=
|3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
|=3D3D=3D
|=3D3D=3D3D=3D3D=3D3D=3D3D

|--
|//www.freelists.org/webpage/oracle-l

|This electronic message transmission is a PRIVATE communication which =
|=3D
|contains
|information which may be confidential or privileged. The information is
|=3D
|intended=3D20
|to be for the use of the individual or entity named above. If you are =
|=3D
|not the=3D20
|intended recipient, please be aware that any disclosure, copying, =3D
|distribution=3D20
|or use of the contents of this information is prohibited. Please notify
|=3D
|the
|sender  of the delivery error by replying to this message, or notify us
|=3D
|by
|telephone (877-633-2436, ext. 0), and then delete it from your system.

|--
|//www.freelists.org/webpage/oracle-l
|--
|//www.freelists.org/webpage/oracle-l
--
//www.freelists.org/webpage/oracle-l

• References:
  • RE: Requirement to run as user SYS
    • From: Goulet, Dick

Other related posts:

• » Re: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » Re: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS
• » RE: Requirement to run as user SYS

1. Home
2. oracle-l
3. Archive
4. 12-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---