Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Restricting internal access to users.

5 views
Skip to first unread message

jiju

unread,
Aug 11, 2003, 12:15:07 PM8/11/03
to
hello,

How do I restrict internal account access to database users? I created
a user called user1 and granted him connect and resource privileges.
Now after I connect as user1, I tried 'connect internal' and I get
connected to the database as 'SYS' which is dangerous. How can I
restrict this such that when user1 tries to 'connect internal' it will
prompt for the password. Please help.

Thanks in advance.

jiju

Chuck

unread,
Aug 11, 2003, 12:39:45 PM8/11/03
to
jmkur...@yahoo.com (jiju) wrote in
news:c396a971.0308...@posting.google.com:

The only people who can connect internal (or "as sysdba") without a
password are those in the operating system's DBA group. Remove non-dba
users from the DBA group.

Tanel Poder

unread,
Aug 11, 2003, 1:26:48 PM8/11/03
to
Hi!

The OS user should not be in an operating system group which was set as
SYSDBA or SYSOPER group duing Oracle software installation/linking time.
Usually that means that, remove your non-privileged user from dba group.

Hm, I noticed you didn't specify on which platform you're running. The above
was for Unix, if on windows, then remove the user from ORA_DBA or
ORA_<SID>_DBA group.

Tanel.


"jiju" <jmkur...@yahoo.com> wrote in message
news:c396a971.0308...@posting.google.com...

quarkman

unread,
Aug 11, 2003, 6:02:56 PM8/11/03
to

You've got good replies from others: you've inadvertently set up operating
system authentication for privileged users, and that's how come your
"ordinary" user is connecting internal. Remove the user from the relavant
O/S group, and he won't be able to do that. If you want to abandon
operating system authentication altogether, then you'll need to use the
orapwd utility to create a new password file, and edit the init.ora so that
REMOTE_LOGIN_PASSWORDFILE=EXCLUSIVE.

But a couple of other points: you should never grant connect and resource
to a user. Those are not "privileges", they are *roles*. And the key
feature of a role is that it is a *collection* of privileges, and that
means you've granted an awful lot more to that user than you might expect.
For new users, just grant 'create session', and then specific privileges as
required ('select any table', for example. Or specific objecty privileges
such as 'select on emp').

Lastly, you don't mention an operating system or a version (two essential
nuggets of information). But if this is any Oracle version higher than or
equal to 8.0, then you shouldn't be connecting as internal anyway. Internal
is dead as of 9i, and so you'd want to not get into bad habits. Connect
"sys/something AS SYSDBA" is the new, approved way of doing the same thing,
and it has a future.

~QM

Daniel Morgan

unread,
Aug 11, 2003, 8:18:24 PM8/11/03
to
jiju wrote:

Log on as SYS and perform the following:

DROP ROLE connect;
DROP ROLE resource;
DROP ROLE dba;

That is what Oracle recommends.

Now create specific roles that relate to what people actually do and
assign those to your users.

--
Daniel Morgan
http://www.outreach.washington.edu/extinfo/certprog/oad/oad_crs.asp
damo...@x.washington.edu
(replace 'x' with a 'u' to reply)


jiju

unread,
Aug 13, 2003, 11:53:21 AM8/13/03
to
I am using Oracle 8.1.7 on Windows 2000 server. Also, I am not using
OS authentication. But I guess like Quarkman said, I shouldn't grant
connect and resource roles to a user. May be I should create another
role with specific privileges and grant that role??

thanks all of you guys for responding.

Daniel Morgan <damo...@exxesolutions.com> wrote in message news:<3F383250...@exxesolutions.com>...

Daniel Morgan

unread,
Aug 13, 2003, 1:41:13 PM8/13/03
to
jiju wrote:

Exactly!

0 new messages