Re: connecting automatically as sys

From: Daniel Morgan <damorgan_at_x.washington.edu>
Date: Sun, 25 Jul 2004 12:27:18 -0700
Message-ID: <1090783667.245897@yasure>

Joe wrote:
> On 07/24/2004 06:41 PM, Daniel Morgan said:
>

>> Joe wrote:
>>
>>> On 07/20/2004 11:25 PM, Hans Forbrich said:
>>>
>>>> ...
>>>> 5) I can think of no valid reason, at least effective Oracle8i, to 
>>>> attempt
>>>> ANY coding against SYS.  Playing at that level is roughly equivalent to
>>>> coding against the kernel data structures of a proprietary (closed 
>>>> source)
>>>> OS.  
>>>
>>>
>>>
>>> Does a password_verify_function still have to be owned by SYS?   If 
>>> so, I wish oracle would change that.
>>>
>>
>>
>> Why? A strong desire to compromise security?

>
>
>
> Not at all - why do you suggest that?
>
> If I need to update the password verify function across 800+ instances,
> and o7_dictionary_accessibility=false as it should be, it can be a pain
> to connect as sys across that many servers. If the function could be
> created in another schema, it's pretty easy for me to loop through all
> 800 instances from one central place, and do the create or replace.
> Also, since exp/imp doesn't handle sys objects like a normal schema,
> it's just one more thing that you have to handle differently.
>
> Actually, I wish Oracle would add some more profile parameters such as
> minimum_length=6 and non_alpha_required=2, so you could do a much better
> job without the verify_function.

And also easy for someone else to do it too. Inflicting damage not just in one place but in all.

Seems to me it would be better to invest the time and have a more secure environment. Of course there is always OPS$ORACLE.

-- 
Daniel A. Morgan
University of Washington
damorgan_at_x.washington.edu
(replace 'x' with 'u' to respond)

Received on Sun Jul 25 2004 - 14:27:18 CDT