
	Home > Ask the Oracle Experts > Questions & Answers > Security holes opened by logging on with 'as sysdba'

Ask The Oracle Expert: Questions & Answers

EMAIL THIS

Security holes opened by logging on with 'as sysdba'

EXPERT RESPONSE FROM: Brian Peasland

		Pose a Question

		Other Oracle Categories

		Meet all Oracle Experts
		Become an Expert for this site

QUESTION POSED ON: 17 June 2003
Why is it that in SQL*Plus, whenever you login as any user with "as sysdba" on it, it allows you to login on the Oracle database? How can I secure my Oracle server? Can you please help me on this?

EXPERT RESPONSE

To verify this, I performed the following:

SQL> connect peasland as sysdba
Enter password: 
Connected.

The PEASLAND user has never been granted SYSDBA privileges, so on the surface, this never should have happened. But I launched SQL*Plus as a "privileged" user in the first place. My database is running on a Unix server. I signed on to the Unix server as a member of the 'dba' group. If I was on a Windows server, I would need to sign on as a member of the 'ora_dba' group. Anyone who is signed on to the database server and is a member of this group can connect to the database as SYSDBA using any userid. This only becomes a security hole if you place users who should not have this privilege in that specific group. Only Database Administrator OS accounts should be part of these groups. Regular users should not be granted permissions for this group. If a regular user attempts the same commands above, they would be given an error message indicating that they do not have sufficient permissions. Also note that this only pertains to those accounts that log in directly to the database server. If someone is connecting to the database from a remote workstation, this operation will not work.

For More Information

Dozens more answers to tough Oracle questions from Brian Peasland are available.
The Best Oracle Web Links: tips, tutorials, scripts, and more.
Have an Oracle or SQL tip to offer your fellow DBAs and developers? The best tips submitted will receive a cool prize. Submit your tip today!
Ask your technical Oracle and SQL questions -- or help out your peers by answering them -- in our live discussion forums.
Ask the Experts yourself: Our SQL, database design, Oracle, SQL Server, DB2, metadata, object-oriented and data warehousing gurus are waiting to answer your toughest questions.

Digg This!

StumbleUpon

Del.icio.us

RELATED RESOURCES

	2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
	Search Bitpipe.com for the latest white papers and business webcasts
	Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

SEARCH

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.


TechTarget Corporate Web Site \| Media Kits \| Reprints \| Site Map All Rights Reserved, Copyright 2003 - 2008, TechTarget \| Read our Privacy Policy