Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Help on SYSDBA previliege

Re: Help on SYSDBA previliege

From: Rick Wessman <Rick.Wessman_at_oracle.com>
Date: 02 Oct 2001 13:46:15 -0400
Message-ID: <socitdy9bq0.fsf@rwessman-pc.us.oracle.com>


What Lawrence said is correct. When you connect as SYSDBA, you get your Oracle privileges from the operating system using your operating system user ID, not your Oracle user ID. This applies on Windows as well as on Unix and its variants (Linux, etc.).

Given that, it figures that your scenario would work as it does. Your operating system user ID did not change during the session, so Oracle will continue to use it.

However, your scenario will not work with the following changes.

  1. CONNECT scott/tiger AS SYSDBA;
  2. CREATE USER ab IDENTIFY BY ab;
  3. GRANT create session, resource TO ab;
  4. exit out of the operating system session
  5. login as another user who is not part of the dba group
  6. CONNECT ab IDENTIFIED BY ab as sysdba;

The last connect will fail because the second user does not have the privilege to be the DBA.

                                Rick

"santysharma" <santysharma_at_hotmail.com> writes:

> yes , i tried it on WIN 2000. Oh man this is definately is a serious bug.
> i can connect scott/tiger as sysdba
> after that i created user ab identified by ab
> then i was also able to connect as ab/ab as sysdba
> even did shutdown with this ab a/c.
> So much for Oracle 9i
>
> santysharma
> Oracle certified dba
> Sun certified system admin
>
>
>
>
> "Lawrence Simela" <lsimela_at_mahalini.prestel.co.uk> wrote in message
> news:9p2453$g31$1_at_phys-ma.sol.co.uk...
> > Sounds like you have OS authentication.
> >
> > If you are logged in as someone in the dba group you can run sqlplus and
> > connect as SYSDBA. You can give an name and password and it will work so
> > long as you are logged in as a dba group member at OS level.
> >
> > So when you do CONNECT mike/mike AS SYSDBA it is SYS who connects not
> mike..
> >
> > hth
> > Lawrence
> >
> > "Yang Hou" <yanghou_at_lucent.com> wrote in message
> > news:9p1dgh$fjh_at_nntpa.cb.lucent.com...
> > > Hi,
> > >
> > > I installed Oracle8i dtabase on HP 9000 server,then I create a general
> > user
> > > name "mike" ( Oracle account) with password "mike". I only grant "create
> > > session" previliege to this user, but when I log in using this account ,
> I
> > > find I can run "CONNECT mike/mike AS SYSDBA". This make me feel strange,
> > > cause I haven't grant any role and SYSDBA administrator previliege
> > > "Mike"."Mike" is only a Oracle account and doesn't belong default user
> > group
> > > "dba".
> > >
> > > In Oracle 9i Administrator Guide( PDF from Oracle official site), there
> is
> > > one sentence "Control of these privileges is totally outside of the
> > database
> > > itself."( chapter 1, Page 1-13 ), I don't know its mean and can not find
> > > more clear description about this.
> > >
> > > Any assistance is appreciated!
> > >
> > >
> >
> >
>
>

-- 
                                Rick Wessman
                                Security Assurance Group
                                Oracle Corporation
                                Rick.Wessman_at_oracle.com

     The opinions expressed above are mine and do not necessarily reflect
                         those of Oracle Corporation.
Received on Tue Oct 02 2001 - 12:46:15 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US