RE: Requirement to run as user SYS

  • From: "Hollis, Les" <Les.Hollis@xxxxxx>
  • To: <barb.baker@xxxxxxxxx>, <oracle-l@xxxxxxxxxxxxx>
  • Date: Thu, 9 Dec 2004 09:54:51 -0600

Now that has got to be one of the most ridiculous management decisions I
have ever heard......

By "disable" I am assuming you mean to change the password or 'lock' the

As a DBA you can still get in using / as sysdba  which enables you to do
anything you want.  It actually still dumpos you in as SYS.

I tested on one of my 9i DB's.  Locked the user sys account, exited,
logged in   '/ as sysdba',   did a shutdown/startup  and executed this

SQL> show user

THIS AFTER I locked the account......

Select * from dba_users where username =3D 'SYS';  returned this

SYS                                     0 D4C5016086B2DC6A
LOCKED                           09-DEC-2004
SYSTEM                         TEMP
DEFAULT                        SYS_GROUP

As you see it shows locked...but you are still sys....

Oh well.....I guess if it makes the idiot auditors happy to think they
found something on you and spineless management leaped through hoops to
appease them, I suppose it isn't ALL that terribly can STILL
log in as SYS using / as sysdba         whisper whisper....just don't
tell the auditors

It's all good   8~))

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Barbara Baker
Sent: Thursday, December 09, 2004 9:35 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: Re: Requirement to run as user SYS

 Thanks, Dick.  I really appreciate your responses.
 It's a double-whammy.  We got "written up" by the auditors for using
 the SYS account, so management's response is that we just disable it.
 < sigh . . . >

> On Thu, 9 Dec 2004 09:24:48 -0500, Goulet, Dick <DGoulet@xxxxxxxx>
> > Barb,
> >
> >        I'll feel sorry for you for sure.  You've got one VERY
> > auditor breathing down your throat and a management team that is
> > ignorant and uncaring for letting this happen.  At least our
> > were savvy enough to know that SYS is a special account that we need
> > don't use excessively and left it out of their questions.
> >

Other related posts: