privilege sysdba

**steeve123** · 11-01-2002, 09:58 AM

In 8.1.7:
i create a user with resource, connect and the user cannot connect as sysdba;

In 9i:
i create a user with resource, connect and the user is able to connect as sysdba!!! He can do anything, what the hell?

**Tarry** · 11-01-2002, 10:01 AM

Well that's the objective of 9i. Open for all, so everyone can play dba..
Naah kidding,
Try some super user priv's as this user like shutdown abort and then see.

**davey23uk** · 11-01-2002, 10:18 AM

in 9i there is a init.ora parameter which needs to be changed

forget which one is it, been mentioned a couple of times in this forum

**davey23uk** · 11-01-2002, 10:20 AM

its actually this

Remove or comment out the SQLNET.AUTHENTICATION_SERVICES = (NTS) in your sqlnet.ora and that behavior will be gone.

for further details.

www.dbasupport.com/forums/sh...?threadid=29910

**clio_usa** · 11-02-2002, 04:01 AM

Things have changed since last version of 8i. That's why.

Oracle trust the users already authenticated by the OS - "The friend of the OS is friend of mine too". Remove the AUTHENTICATION_SERVICES = (NTS) as suggested.

Hope that helps,

clio_usa
OCP 8/8i/9i DBA

Visit our Oracle DBA site

**steeve123** · 11-05-2002, 04:18 PM

So a hacker connect to my server, add the following line in my sqlnet
SQLNET.AUTHENTICATION_SERVICES = (NTS)

And connect scott/tiger as sysdba

THIS IS THE EASIEST WAY TO HACK A DATABASE!!!!

THEN WHY USE PASSWORD TO PROTECT A DATABASE!!!!!

**pando** · 11-05-2002, 04:21 PM

well you can disable it huh, just get rid of ORADBA group

plus isnt your server suppose to be better protected against hackers than your database? (at least that's how I understand IT these days huh)

**steeve123** · 11-05-2002, 04:29 PM

Well, i personaly know hackers, and they connect on many servers with firewalls.

So far, i was felling secure cuse i tought you needed the password of a user that have sysdba to do serious damage to a dabatase. But no.

**stecal** · 11-05-2002, 04:36 PM

Hello? That's up to you to set how users can connect with or without sysdba privileges. That is not an Oracle problem; it is an Oracle user problem.

**steeve123** · 11-05-2002, 04:40 PM

Im tring to find a way to let sysdba and sysoper to sys, and dont let anyone else trying to connect and do serious damage, im not telling that Oracle has errors.

Thread: privilege sysdba

Thread Tools

Display

privilege sysdba

Posting Permissions