i create a user with resource, connect and the user cannot connect as sysdba;
i create a user with resource, connect and the user is able to connect as sysdba!!! He can do anything, what the hell?
Well that's the objective of 9i. Open for all, so everyone can play dba..
Try some super user priv's as this user like shutdown abort and then see.
I'm a JOLE(JavaOracleLinuxEnthusiast)
--- Everything was meant to be
in 9i there is a init.ora parameter which needs to be changed
forget which one is it, been mentioned a couple of times in this forum
its actually this
Remove or comment out the SQLNET.AUTHENTICATION_SERVICES = (NTS) in your sqlnet.ora and that behavior will be gone.
for further details.
Things have changed since last version of 8i. That's why.
Oracle trust the users already authenticated by the OS - "The friend of the OS is friend of mine too". Remove the AUTHENTICATION_SERVICES = (NTS) as suggested.
Hope that helps,
OCP 8/8i/9i DBA
Visit our Oracle DBA site
So a hacker connect to my server, add the following line in my sqlnet
SQLNET.AUTHENTICATION_SERVICES = (NTS)
And connect scott/tiger as sysdba
THIS IS THE EASIEST WAY TO HACK A DATABASE!!!!
THEN WHY USE PASSWORD TO PROTECT A DATABASE!!!!!
well you can disable it huh, just get rid of ORADBA group
plus isnt your server suppose to be better protected against hackers than your database? (at least that's how I understand IT these days huh)
Well, i personaly know hackers, and they connect on many servers with firewalls.
So far, i was felling secure cuse i tought you needed the password of a user that have sysdba to do serious damage to a dabatase. But no.
Hello? That's up to you to set how users can connect with or without sysdba privileges. That is not an Oracle problem; it is an Oracle user problem.
Im tring to find a way to let sysdba and sysoper to sys, and dont let anyone else trying to connect and do serious damage, im not telling that Oracle has errors.
Click Here to Expand Forum to Full Width