Security of SYS account
DBAsupport.com Forums - Powered by vBulletin
Results 1 to 8 of 8

Thread: Security of SYS account

  1. #1
    Join Date
    Sep 2005
    Posts
    5

    Security of SYS account

    I m using Oracle 9i and I am facing one problem about logging on the database using sysdba.

    I have learnt about OS Authentication and about Password file Authentication for restricting database users from entering into the database using Connect <>/<>@db as SYSDBA.

    Lets say i opt for password file authetication and set a password for sys but this password can be altered by any one who knows that by executing ORAPWD the password for sys can be altered.

    Now how can i protect my sys account's password.

    Thanks

  2. #2
    Join Date
    Sep 2002
    Location
    England
    Posts
    7,333
    you lock down the os account so no-one can run orapwd apart from the oracle account

  3. #3
    Join Date
    Dec 2001
    Location
    UK
    Posts
    1,684
    Hi.

    There are some things in life you have to deal with, one of which is that your sysadmins that have root access are database Gods if they choose to be. If they figure out how to do "su - oracle" they've got it made.

    Your options are to live with it or deny them root access. I do the latter. I realize most DBAs are at the mercy of their sysadmins, but I'm a bit more annoying than your average DBA

    Cheers

    Tim...
    Tim...
    OCP DBA 7.3, 8, 8i, 9i, 10g, 11g
    OCA PL/SQL Developer
    Oracle ACE Director
    My website: www.oracle-base.com
    My blog: www.oracle-base.com/blog

  4. #4
    Join Date
    Jan 2000
    Location
    Chester, England.
    Posts
    818
    Thats one of the posts I'd be tempted to delete, just in case any wandering SysAdmins or Developers come across this forum.

    Ths situation in our place is so bad that Developers were given SySAdmin privs on Oracle Production servers, by SysAdmins (actually, they just GAVE them the same God-like userids and passwords!) and now they can't change them because so much network stufff and so many utlities will go belly up if the passwords change.

    At times, I cringe.

  5. #5
    Join Date
    Nov 2000
    Location
    greenwich.ct.us
    Posts
    9,092
    Quote Originally Posted by TimHall
    I realize most DBAs are at the mercy of their sysadmins, but I'm a bit more annoying than your average DBA
    Lets just leave that alone...
    Jeff Hunter
    marist89@yahoo.com
    http://marist89.blogspot.com/
    Get Firefox!
    "I pledge to stop eating sharks fin soup and will not do so under any circumstances."

  6. #6
    Join Date
    Nov 2000
    Location
    greenwich.ct.us
    Posts
    9,092
    Quote Originally Posted by JMac
    Ths situation in our place is so bad that Developers were given SySAdmin privs on Oracle Production servers, by SysAdmins (actually, they just GAVE them the same God-like userids and passwords!) and now they can't change them because so much network stufff and so many utlities will go belly up if the passwords change.
    Well, you need management to come down with an edict saying the DBAs administer the database, sysadmins administer the system. Get to know your sysadmins really well and let them do their thing and they'll get out of your business.
    Jeff Hunter
    marist89@yahoo.com
    http://marist89.blogspot.com/
    Get Firefox!
    "I pledge to stop eating sharks fin soup and will not do so under any circumstances."

  7. #7
    Join Date
    Aug 2005
    Location
    Nigeria
    Posts
    14
    Most sysadmins tends to look at themselves as small god over the DBAs which is very annoying, but the best is for every body to know their job functions according to Marist.

    The question is, is thier nothing the DBAs can do to prove them wrong?

    thanks
    The purpose of life is a life of purpose.

  8. #8
    Join Date
    Nov 2002
    Location
    New Delhi, INDIA
    Posts
    1,796
    Quote Originally Posted by davey23uk
    you lock down the os account so no-one can run orapwd apart from the oracle account
    Or simply rename/hide the file and make sure you remember what you renamed it to or where you hide it
    Amar
    "There is a difference between knowing the path and walking the path."

    Amar's Blog  Get Firefox!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Click Here to Expand Forum to Full Width