|
|
|
|
| Re: I want to disable connection with "connect / as sysdba" [message #60660 is a reply to message #60649] |
Tue, 24 February 2004 05:50   |
croca
Messages: 50
Registered: January 2004
|
Member |
|
|
If your OS username belongs to DBA group, you will have to setup a couple of things i can tell you later..
But, if you can setup users not to belong to DBA group, those users wont be able to connect /as sysdba.
Let me knw if you need further instructions to setup ORACLE software in order to disable connect /as sysdba
Regards.
www.otools.com.ar
|
|
|
|
|
|
|
|
| Re: OS username belongs to DBA group [message #60666 is a reply to message #60665] |
Tue, 24 February 2004 08:22 |
croca
Messages: 50
Registered: January 2004
|
Member |
|
|
What i did is valid for sun solaris. I guess is the same on all unix machines.
1) i created username in DB, for example
dbadmin
and grant dba to dbadmin
2) cd to $ORACLE_HOME/dbs
orapwd file=orapwSID username=dbadmin password=any
3) sqlplus /as sysdba
grant sysdba to dbadmin;
4) i created a new group in /etc/group
for example: ecb
5) edit $ORACLE_HOME/rdbms/lib/config.s
and look for string 'dba'
you will have to find something like:
/* 0x0008 15 */ .ascii "dba�"
/* 0x0014 22 */ .ascii "dba�"
change string dba for ecb (or whatever group you added)
6) shutdown database, and listeners...
7) recompile oracle binaries
relink all
This way, every user belonging to DBA group will no longer connect automatically by CONNECT /AS SYSDBA
instead, you will need to connect as follows:
connect dbadmin/pwd as sysdba
This is valid on sun solaris. I did this on 16 machines and worked perfect.
Always make backup of files before editing, config.s
/etc/group
Hope it help...
regards.
www.otools.com.ar
|
|
|
|
|
|
|
|
|
|
| Need some clarification [message #60680 is a reply to message #60669] |
Wed, 25 February 2004 03:02 |
moukah
Messages: 4
Registered: February 2004
|
Junior Member |
|
|
first, i thank you for your help...
regarding my problem this is what i did :
1- connect / as sysdba
create user dbadmin identified by test;
grant dba to dbadmin;
2- i didn't understand this step , but i try :
orapwd file=orapwTEST password=test
it prints :
" file orapwTEST exists,please delete or rename it "
i did nothing and pass this step.
3- grant sysdba to dbadmin
4- i created group ecb
5- under $ORACLE_HOME/rdbms/lib
there are config.c and config.o but not config.s !
and i stop all...
would you clarify step 2 & 5 and how can i
recompile Oracle binaries and relink them ?
thanks.
|
|
|
|
| Re: Need some clarification [message #60683 is a reply to message #60680] |
Wed, 25 February 2004 10:02 |
croca
Messages: 50
Registered: January 2004
|
Member |
|
|
Of course.
I think you did ok all steps.
Setp 2)
there is no problem, you have alredy created orapwTEST file previously. so, there is no need to recreate it.
Step 5). I cannot understand, unix plataforms i ever worked on had that file.
OK, i asked a friend of mine, and he send me config.c file from his linux machine.
It reads like:
/* SS_DBA_GRP defines the UNIX group ID for adminstrative access. */
/* Refer to the Installation and User's Guide for further information. */
#define SS_DBA_GRP "oracle"
#define SS_OPER_GRP "oracle"
char *ss_dba_grp[[]] = {SS_DBA_GRP, SS_OPER_GRP};
I GUESS YOU WILL NEED TO REPLACE
#define SS_DBA_GRP "oracle"
for
#define SS_DBA_GRP "ecb"
and try to relink all
Of course, make a backup copy from that file prior to edit.
Hope this works.
Regards.
|
|
|
|
| Thank you very much! [message #60775 is a reply to message #60683] |
Thu, 04 March 2004 02:37 |
moukah
Messages: 4
Registered: February 2004
|
Junior Member |
|
|
I'm sorry for late , i was busy with customer's tools
but i want to thank you for your help although i was
wearing you out , it works good!
i hope meeting you some day ...
|
|
|
|
| Re: I want to disable connection with "connect / as sysdba" [message #60915 is a reply to message #60660] |
Fri, 12 March 2004 10:00 |
Sanjay Bajracharya
Messages: 279
Registered: October 2001
Location: Florida
|
Senior Member |
|
|
This is a really interesting thread....
So you mean to say that if his friend creates a user id (say user1) at OS level and member of group 'ecb', then
login as root
su - user1
then
connect / as sysdba
Will this work ?
My point is, his friend alreay has ROOT access to the box ... he owns the system....or should I say co-owns the system ...
Bottom line, take away the root access from your frined .. if you can, for absolute security.
--
Sanjay
|
|
|
|
|
|
] 
Blog
Search
Help
Members
Register
Login
Home
