forgot password on sql anywhere 8.0.2
Marten Lehmann
how can I get back the password of a database, that I forgot. It would
also be fine to reset it to DBA/SQL, anyway: I need to get back
connected to this database very soon. I couldn't find anything about
this in the reference guide or users guide.
Regards
Marten
Chris Keating (iAnywhere Solutions)
evidence of ownership of the database. If you have encrypted the database,
you may not be able to reset the password.
--
Chris Keating
Sybase Adaptive Server Anywhere Professional Version 8
****************************************************************************
*
Sign up today for your copy of the SQL Anywhere Studio 9 Developer Edition
and try out the market-leading database for mobile, embedded and small to
medium sized business environments for free!
http://www.ianywhere.com/promos/deved/index.html
****************************************************************************
*
iAnywhere Solutions http://www.iAnywhere.com
** Please only post to the newsgroup
** Whitepapers can be found at http://www.iAnywhere.com/developer
** EBFs can be found at http://downloads.sybase.com/swx/sdmain.stm
** Use CaseXpress to report bugs http://casexpress.sybase.com
****************************************************************************
*
"Marten Lehmann" <use...@variomedia.de> wrote in message
news:btk2sg$853qo$1...@ID-13266.news.uni-berlin.de...
Marten Lehmann
> You may need to contact Support. They may be able to help provided you show
> evidence of ownership of the database. If you have encrypted the database,
> you may not be able to reset the password.
my database is not encrypted, but in the meantime I was able to restore
files that contain the login information to the database. However, it
doesn't seem very professional if an administrator doesn't have full
control over the database. It's possible for nearly all RDBMS's to reset
the DBA-password. It's seems Sybase wants to enforce creating support
cases and earn money while others just forget the password.
Regards
Marten
Erik Anderson
Resetting the DBA password has a very high security risk, one that cannot be
mitigated by physical access to the database. For instance, someone could
get their hands on a backup copy of a database, reset the password, and then
have full access to everything in the database. The DBA password is one
that should be known by the administrator, used very little, and written in
a secure place.
"Marten Lehmann" <use...@variomedia.de> wrote in message
news:btk7r8$8c9su$1...@ID-13266.news.uni-berlin.de...
Breck Carter [TeamSybase]
I'm curious.
Breck
On 8 Jan 2004 10:56:19 -0800, Marten Lehmann <use...@variomedia.de>
wrote:
--
bca...@risingroad.com
Mobile and Distributed Enterprise Database Applications
www.risingroad.com
Reg Domaratzki
you're at it please. :)
--
Reg Domaratzki, Sybase iAnywhere Solutions
Sybase Certified Professional - Sybase ASA Developer Version 8
Please reply only to the newsgroup
iAnywhere Developer Community : http://www.ianywhere.com/developer
ASA Patches and EBFs : http://downloads.sybase.com/swx/sdmain.stm
-> Choose SQL Anywhere Studio
-> Set "Platform Preview" and "Time Frame" to ALL
"Breck Carter [TeamSybase]" <NOSPAM_...@risingroad.com> wrote in
message news:89brvvctk5kn1dugk...@4ax.com...
Greg Fenton
databases run on laptops as well as high end servers. If someone loses
a laptop and changing the admin password is simply a matter of running
some GUI admin tool, then there is a high potential for comprimised
customer data.
greg.fenton
--
Greg Fenton
Consultant, Solution Services, iAnywhere Solutions
--------
Visit the iAnywhere Solutions Developer Community
Whitepapers, TechDocs, Downloads
http://www.ianywhere.com/developer/
Dmitri
?????????: news:btk7r8$8c9su$1...@ID-13266.news.uni-berlin.de...
> files that contain the login information to the database. However, it
> doesn't seem very professional if an administrator doesn't have full
> control over the database. It's possible for nearly all RDBMS's to reset
> the DBA-password. It's seems Sybase wants to enforce creating support
> cases and earn money while others just forget the password.
Sybase just doesn't want to create a blatant security hole in it's
product.
Dmitri.
Marten Lehmann
> I'm curious.
There's of course no database, that allows access in general without
password, but there are very popular databases, that allow the
administrator to reset the dba-passwordl, like MySQL, PostGreSQL...
Marten Lehmann
> product.
I guess everyone is very badly off, if you're loosing the password in
the evening and the answer-phone of sybase just tells you, that the
opening times are from 9am to 6pm. Image this happens on a weekend.
Could you image a bank that can't offer online-banking for some days,
because during a maintenance a password got lost and sybase needs
several days to make sure you're the right one owning that database? In
Oracle you can create more than one user with DBA privleges, in mysql
you can reset the password. Now tell me how sybase does help me with
this issue?
Regards
Marten
Marten Lehmann
> databases run on laptops as well as high end servers. If someone loses
> a laptop and changing the admin password is simply a matter of running
> some GUI admin tool, then there is a high potential for comprimised
> customer data.
That's right, but then sybase should offer a way to get back the access
using a private key, that can be saved somewhere else than on the same
server or notebook. Or an additional passphrase, or whatever.
Breck Carter [TeamSybase]
you can store them anywhere you want. You simply create more user ids
with DBA privileges, and save their passwords wherever you want to.
On 13 Jan 2004 12:26:27 -0800, Marten Lehmann <use...@variomedia.de>
wrote:
>> Along with what Erik says, realize that unlike other RDBMS vendors, our
--
Breck Carter [TeamSybase]
"administrator"?
Breck
On 13 Jan 2004 12:26:25 -0800, Marten Lehmann <use...@variomedia.de>
wrote:
>> Name one RDBMS that allows administrator access without a password...
--
Breck Carter [TeamSybase]
all DBA privileges.
Breck
On 13 Jan 2004 12:26:26 -0800, Marten Lehmann <use...@variomedia.de>
wrote:
>> Sybase just doesn't want to create a blatant security hole in it's
--
Greg Fenton
> I guess everyone is very badly off, if you're loosing the password in
> the evening and the answer-phone of sybase just tells you, that the
> opening times are from 9am to 6pm.
I would hope that anyone with that important an application (e.g. a
bank) that does not have decent recovery strategy at the very least has
a 24x7 support contract with iAnywhere/Sybase.
If we gave just anyone the ability to reset the password, then getting
access to the machine is all one needs to get complete access to the data.
Dmitri
> In Oracle you can create more than one user with DBA privleges
Ditto for ASA.
Dmitri.
Breck Carter [TeamSybase]
<greg.fent...@ianywhere.com> wrote:
>If we gave just anyone the ability to reset the password, then getting
>access to the machine is all one needs to get complete access to the data.
Apparently, that *is* the case with MySQL according to "A.4.2 How to
Reset a Forgotten Root Password" at
http://www.mysql.com/doc/en/Resetting_permissions.html
...I know, it's hard to believe that anyone would implement such a
facility... maybe it's an interpretation of "open source" that I am
not familiar with.
Breck
Marten Lehmann
> "administrator"?
The user who owns to the raw-datafile. If he can damage the database and
can access everything in raw, why should he get the chance to get back
to his data? And after I proofed my evidence ownership of the database
file: Do I have to allow sybase to login to my server for changing some
things with a hex-editor? Or do I have to send sybase my maybe several
gigabytes large databasefile?
Erik Anderson
but should not have access to its contents:
(1) Backup administrators. In a good setup, there may be a number of backup
copies of the database lying around which are not in active use. These
files may be more easily accessible than the main database. Damage to these
files does not damage the main database (except in recovery situations), but
it may contain sensitive data
(2) Mobile users. ASA has the ability for people to run a database on their
laptop. They may not be the owner of the database, though, especially if it
is a corporate database. Damage to the file on their laptop *may* damage
the main database (if replication is in use), examining the contents of the
data may or may not be useful to the owner of the laptop. This situation
gets worse if the laptop is stolen or "found" by an unauthorized person.
In the end, it is the database owner's responsibility to ensure that they
have and maintain administrative access to the databases. If they must call
ASA customer service to "unlock" a database, then that is a fairly
significant failure of their maintenance strategy (whatever it is). Having
a database unlocked should only be needed if the person currently owning the
database has just now received it from a previous owner that did not
properly document their access points.
"Marten Lehmann" <use...@variomedia.de> wrote in message
news:bu430d$d7qll$1...@ID-13266.news.uni-berlin.de...
Silas Denyer
Can I introduce a new twist on this issue, describing my own current
situation (and hence why I found this thread whilst searching)?
We run a commercial product for collating and processing data related
to our business. We have no choice of product - we have a services
relationship with another company, and use of this product is a
prerequisite for using the service. The service is a critical part of
our overall business process - changing service providers would be an
entirely strategic and utterly non-trivial, rather than tactical,
move. In order to use the service we had to transition data collation
/ processing from our own in-house system to this third party
solution. The data is ours: we own it, we keyed it in. There is no
"generated" or inferred data in the database (as far as I am aware),
and no specific IP inherent in it. The product is merely a front-end
tool for collation.
The commercial product uses Adaptive Server Anywhere 7.0 to store
data. The database is obviously password-protected. That password is
not known to us - it seems that it is the same password for all
instances of the software on all of their client sites. They implement
their own user-level security for the software which is not related to
user-level security of the database server. They will not provide us
with the password. Unfortunately their software is very badly written
indeed, such that reporting and data-extraction are almost impossible
to achieve using the tools provided.
So, what I would like to do is to gain access to the database in order
to recover my own data. The service provider will not help us - they
will, for a price, provide paper copies of the data, but that is about
all. We have now discovered (yes, I know, no comments please, before
my time...) that, even if we stop using the service & product, they
will do no more than that.
Reminder: this is our data. We own the data. The software developers
have, however, rather screwed us over with this product. Short of
going to court (which I don't really want to do, for obvious cost and
complication reasons) to force them to remedy the situation, the only
other option I have is to find some other way of gaining access to the
data.
So, although I understand all of the reasons for _not_ providing a way
of achieving the requested access, there is also at least one (this)
legitimate reason why it should be provided.
Incidentally, Adaptive Server came bundled with the software product.
We do not therefore, as far as I can see, have a customer relationship
with Sybase, only with the service provider / software vendor, so I'm
unsure that we could lodge a support call to resolve this situation.
So, has anyone any further suggestions that might help?!
Thanks!
Silas Denyer