Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How to retrict 'Connect as sysdba' to anyone other than sysdba ?

Posted on 2003-03-04
5
Medium Priority
?
1,299 Views
Last Modified: 2008-03-17
Ora9iR2 for win2k installed, I found that I can use any username/password (user is not a member of ORA_DBA group or no such user) to run sqlplus by "sqlplus /nolog" and "connect as sysdba". as below
---------------------------------
C:\Documents and Settings\user>sqlplus /nolog
SQL*Plus: Release 9.2.0.1.0 - Production on Tue Mar 4 11:21:45 2003
Copyright (c) 1982, 2002, Oracle Corporation.  All rights reserved.
SQL> connect as sysdba
Enter user-name: 123
Enter password:
Connected.
SQL>
----------------------------------

Somw questions,
1. How to retrict the unknown user to run "sqlplus /nolog" and "connect as sysdba" ?

2. What database/tablespace does user(sysdba) access after "connect as sysdba" complete ?

Thanks,
0
Comment
Question by:joehuang
  • 3
  • 2
5 Comments
 
LVL 2

Expert Comment

by:Datamonkey
ID: 8065485
it's not the database user that you restrict, it's the OS user.
If your OS user is part of the ORA_DBA group you can log on 'as sysdba', otherwise you can't
if you connect as sysdba you basicaly use the SYS schema
0
 

Author Comment

by:joehuang
ID: 8065887
As you see from the output below, there is no such user 123 and 456 as OS user or part of the ORA_DBA, and they can logon
-----------------------------------
C:\Documents and Settings\user>sqlplus /nolog
SQL*Plus: Release 9.2.0.1.0 - Production on Tue Mar 4 12:19:14 2003
Copyright (c) 1982, 2002, Oracle Corporation.  All rights reserved.
SQL> connect 123/456 as sysdba
Connected.
SQL> connect 456/789 as sysdba
Connected.
SQL>
------------------------------

Any thought ?

Thanks,





0
 
LVL 2

Expert Comment

by:Datamonkey
ID: 8066172
But the user you're logged on to the OS with is part of the ORA_DBA group, that's what is important.
so if you start windows and log on as 'joehuang' (or whatever), it's that user that is part of the ORA_DBA group. As long as that is the case you can log on 'as sysdba' to oracle, the username you give oracle is not important because the 'as sysdba' gives you the sys schema anyway.
0
 

Author Comment

by:joehuang
ID: 8066265
Well, It make sense with the local logon users. In the other word, the non- ORA_DBA user won't gain access from the remote pc by connect string. Please advise, If I am wrong.
0
 
LVL 2

Accepted Solution

by:
Datamonkey earned 120 total points
ID: 8066376
indeed, the only users that can use this are the ones that are part of the ORA_DBA group with their Windows account on the server
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever had to make fundamental changes to a table in Oracle, but haven't been able to get any downtime?  I'm talking things like: * Dropping columns * Shrinking allocated space * Removing chained blocks and restoring the PCTFREE * Re-or…
When it comes to protecting Oracle Database servers and systems, there are a ton of myths out there. Here are the most common.
This videos aims to give the viewer a basic demonstration of how a user can query current session information by using the SYS_CONTEXT function
This video explains what a user managed backup is and shows how to take one, providing a couple of simple example scripts.
Suggested Courses

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question