This discussion is archived
1 2 3 4 5 6 Previous Next 78 Replies Latest reply: Jan 6, 2013 6:34 AM by 955912 Go to original post RSS
  • 60. Re: sqlnet.ora Network Configuration File " parameters  missing"
    955912 Explorer
    Currently Being Moderated
    Hi Edstevens ;

    Thanks for reply. Sorry for making trouble continiously.
    I want to continue few things to rectify security holes .. Please support me !!
    Hope , Very soon it comes to end !!

    tried to create new user as ops$rose
    getting error : useradd: user ops exists
    +# useradd ops$rose+
    useradd: user ops exists

    Note: but existing ops$user name is ops$sam only.

    but in testdb database having 4 ops$ users

    SQL> select username from all_users;

    USERNAME

    OPS$ROSE
    OPS$ORATEST
    OPS$SAM
    OPS$TIM_HALL


    As per above mentioned error :

    Can't we set more than one user  for  OS authentication  using ops$?


    then i did , like this

    SQL> create user ops$rose  identified  by rose;
    User  created.

    SQL> grant  create session to  ops$rose;
    Grant  succeeded.

    +$ sqlplus 'ops$rose/rose'+

    SQL*Plus: Release 10.2.0.1.0 - Production on Wed Dec 19 07:10:34 2012
    Copyright (c) 1982, 2005, Oracle.  All rights reserved.

    Connected to:
    Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
    With the Partitioning, OLAP and Data Mining options

    SQL> show user;
    USER is "OPS$ROSE"

    SQL> ! id
    uid=500(oracle) gid=500(oinstall) groups=500(oinstall),501(dba)

    SQL> grant sysdba to ops$rose;
    Grant succeeded.

    Here , i need small clarification
    ops$rose is now identified by pasword "rose" So it is DB authentication account.
    but id (linux) showing oracle user env. Oracle user doesn't belong DB authentication account.

    FINAL QUESTIONS and expecting valuable Reply :

    *1.What's is the logic applying here ? ops$ using oracle env*
    *2.why cant create more than one user along with prefix ops$ ?*

    what i know ,
    by default it is using oracle user env .. am i right ? If it is wrong , correct me ...

    one more final expectation :
    Database user have to supply a password, that is a big hole in the security policy.
    but You mentioned in previous replies *"never used OS authentication for any account except 'oracle"*
    What's your final conclusion ?  => please provide good solution.

    Thanks  Stevens

    Edited by: 952909 on Dec 25, 2012 3:24 PM

    Edited by: 952909 on Dec 25, 2012 4:39 PM
  • 61. Re: sqlnet.ora Network Configuration File " parameters  missing"
    EdStevens Guru
    Currently Being Moderated
    952909 wrote:
    Hi Edstevens ;

    Thanks for reply. Sorry for making trouble. It's my last question in this thread.

    tried to create new user as ops$rose
    getting error : useradd: user ops exists
    +# useradd ops$rose+
    When the shell processor encounters a "$", it takes that as a meta-character, indicating that what follows is the name of an environment variable, and it will replace that with the value of said variable. So when you enter 'useradd ops$rose' the shell process replaces that with 'useradd ops<value of environment variable rose>' Since you don't have an environment variable 'rose' (there is no reason you would) the statement becomes 'useradd ops'.
    useradd: user ops exists

    Note: but existing ops$user name is ops$sam only.
    Do not confuse oracle usernames with OS usernames. When you tell the OS to create a user (useradd) it has no bearing whatsoever on any user of any type that you have created in your database. When you issue 'useradd', the OS is going to try to create an OS user. It doesn't know, it doesn't give a flying fig, it doesn't check with the database for any potential relationship. If you issued 'useradd ops$rose' and got "useradd: user ops exists", that is a clear AND DEFINITIVE indication that you issued that command once before.
    [root@vblnxsrv02 home]# grep ops /etc/passwd
    [root@vblnxsrv02 home]# grep rose /etc/passwd
    [root@vblnxsrv02 home]# echo $rose
    from the above, we see we have no users with either 'ops' or 'rose' in their name, and that the value of the environment variable 'rose' is null - there is no such variable.
    [root@vblnxsrv02 home]# useradd ops$rose
    [root@vblnxsrv02 home]#  grep ops /etc/passwd
    ops:x:54323:54324::/home/ops:/bin/bash
    [root@vblnxsrv02 home]# grep rose /etc/passwd
    From the above we see that our useradd command created a user 'ops'.
    [root@vblnxsrv02 home]# useradd ops$rose
    useradd: user ops exists
    So of course when we try a second time, it fails.

    but in testdb database having 4 ops$ users

    SQL> select username from all_users;

    USERNAME

    OPS$ROSE
    OPS$ORATEST
    OPS$SAM
    OPS$TIM_HALL
    So you are expecting 4 OS users:
    ROSE
    ORATEST
    SAM
    TIM_HALL


    BTW, why are you creating a user TIM_HALL. Does Tim know about this?

    >
    As per above mentioned error :

    Can't we set more than one user  for  OS authentication  using ops$?
    You can have all of the OS authenticated users you want. But you have to create them correctly. Did you read what the initialization parameter OS_AUTHENT_PREFIX actually does? Did you read it in the actual, official Oracle® Database Reference? That should be enough of a clue right there, but I'm going to take it a bit further. You can find the relevent portion of the Reference at http://docs.oracle.com/cd/E11882_01/server.112/e25513/initparams174.htm#sthref504.. The specific sentence there begins with "Oracle concatenates the value of this parameter ..." Read that several times, and then re-read what I said above about your 4 OS authenticated accounts.

    Personally I only want one or two OS authenticated users, and I want them to have sysdba authority. I still do not understand why you are trying to create all these non-sysdba os authenticated users.

    >
    then i did , like this

    SQL> create user ops$rose  identified  by rose;
    User  created.

    SQL> grant  create session to  ops$rose;
    Grant  succeeded.

    +$ sqlplus 'ops$rose/rose'+

    SQL*Plus: Release 10.2.0.1.0 - Production on Wed Dec 19 07:10:34 2012
    Copyright (c) 1982, 2005, Oracle.  All rights reserved.

    Connected to:
    Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
    With the Partitioning, OLAP and Data Mining options

    SQL> show user;
    USER is "OPS$ROSE"
    As I explained before creating a user with the OPS$ prefix is NOT what makes it an OS authenticated user. So you just created a database authenticated account named 'OPS$ROSE' and successfully connected to the account by supplying the username 'OPS$ROSE' and the correct password.
    SQL> ! id
    uid=500(oracle) gid=500(oinstall) groups=500(oinstall),501(dba)
    And your OS account is 'oracle'. So what? That has zero relationship to any DB authenticated account. And OPS$ROSE is a db authenticated account.
    SQL> grant sysdba to ops$rose;
    Grant succeeded.

    Here , i need small clarification
    ops$rose is now identified by pasword "rose" So it is DB authentication account.
    but id (linux) showing oracle user env. Oracle user doesn't belong DB authentication account.
    And why would you expect to see os account 'oracle' as an OS authenticated account listed in the database? . OS user is 'oracle' is a member of the OS group 'dba'. Any user that is a member of the 'dba' group can connect via OS authentication with sysdba authority. This is very different than an 'os authenticated database account' It's the membership in the dba group that gives them this ability. And these accounts cannot connect without sysdba authority.
    oracle:orcl$ id
    uid=54321(oracle) gid=54321(oinstall) groups=54321(oinstall),54322(dba)
    oracle:orcl$ sqlplus / as sysdba
    
    SQL*Plus: Release 11.2.0.1.0 Production on Tue Dec 25 19:12:14 2012
    
    Copyright (c) 1982, 2009, Oracle.  All rights reserved.
    
    
    Connected to:
    Oracle Database 11g Release 11.2.0.1.0 - 64bit Production
    With the Automatic Storage Management option
    
    
    SQL> exit
    Disconnected from Oracle Database 11g Release 11.2.0.1.0 - 64bit Production
    With the Automatic Storage Management option
    oracle:orcl$ sqlplus /
    
    SQL*Plus: Release 11.2.0.1.0 Production on Tue Dec 25 19:12:35 2012
    
    Copyright (c) 1982, 2009, Oracle.  All rights reserved.
    
    ERROR:
    ORA-01017: invalid username/password; logon denied
    And membership in that group should be limited to a very VERY select group.

    Try this. Connected to the OS as 'oracle', do the following:
    sqlplus / as sydsba
    sqlplus oracle/somepassword as sysdba
    sqlplus fubar/ireallydontunderstandthis as sysdba
    FINAL QUESTIONS and expecting valuable Reply :

    *1.What's is the logic applying here ? ops$ using oracle env*
    I don't understand the question.
    *2.why cant create more than one user along with prefix ops$ ?*
    You can, but you have to do it correctly. Again, read the Reference manual on what OS_AUTHENT_PREFIX means. Think about how the shell processor handles the "$" character.
    >
    what i know ,
    by default it is using oracle user env .. am i right ? If it is wrong , correct me ...
    What "it" do you think is "using oracle user env"?
    When an os user creates a session on the OS (connects to the os), several files, including /home/<osusername>/.bash_profile are executed to establish a starting point for that session's environment. This is purely an OS issue and has NOTHING to do with Oracle. Of course, there are certain environment variables that sqlplus and other oracle software expects to be correctly set. Things like $ORACLE_BASE, $ORACLE_HOME, $ORACLE_SID. But the OS doesn't inherently know about them. After all, as far as the OS is concerned, all those oracle processes and utilities are "just another application process".


    one more final expectation :
    Database user have to supply a password, that is a big hole in the security policy.
    Why do you think supplying a password is "a big hole in the security policy."? Are you under the misguided perception that os authentication is somehow more secure? Please do explain.

    but You mentioned in previous replies *"never used OS authentication for any account except 'oracle"*
    *What's your final conclusion ? 
    My final conclusion remains. I do not create OS authenticated users in my databases. I grant membership in the OS 'dba' group to a VERY limited set of OS accounts. In fact, in my current shop, where I am the only Oracle DBA, the ONLY OS account that is a member of the DBA group is the owner of the oracle software: oracle.
    => please provide good solution.*
    A good solution for what? You've STILL not stated your business problem. You've only led us through a series of issues with a per-conceived technical solution to an unknown (unknown to us) business problem.

    >
    Thanks  Stevens
    Edited by: EdStevens on Dec 26, 2012 6:49 AM
  • 62. Re: sqlnet.ora Network Configuration File " parameters  missing"
    955912 Explorer
    Currently Being Moderated
    Hi Edstevens ;

    Thanks to Fine reply..

    DB env details :

    Database for Research scholars

    They are biological professional not oracle professionals.
    We have different kind of projects. Recently we implemented ORACLE DB to research scholars
    +[local database i.e . Database resides same server]+ That is not a (24*7) domain.

    Every morning they start up database and end of the session they shut the DB.
    Here Every user maintaining Some biological related formulas and statistics reports. The only thing is
    discovered DATA is important

    So here problem is  every one can start up DB. So we planned to restrict to make all users as
    *" OS authenticated users " because external users don't have SYSDBA privilege. So we feel*
    DB will be safe, but the same time  All users are " OS authenticated users" .

    I provide " BASIC PRIVILEGE to Every one ( create session , create table ... )

    See here user connected as *$ sqlplus 'ops$rose/rose'*
    user supplying password here .. So i feel supplying passoword is big security hole.

    Another drawback also for os authentication user ..

    For ex ops$rose is os authenticated user , if OS having another user having rose means
    *rose user can connect as ops$rose"
    * The main problem is "they are maintaining DB , kindly help me !!

    Edited by: 952909 on Dec 28, 2012 3:25 AM
  • 63. Re: sqlnet.ora Network Configuration File " parameters  missing"
    EdStevens Guru
    Currently Being Moderated
    952909 wrote:
    Hi Edstevens ;

    Thanks to Fine reply..

    DB env details :

    Database for Research scholars

    They are biological professional not oracle professionals.
    Ok, so what is your relationship to them and what is your role in all of this?
    We have different kind of projects. Recently we implemented ORACLE DB to research scholars
    +[local database i.e . Database resides same server]+ That is not a (24*7) domain.

    Every morning they start up database and end of the session they shut the DB.
    Why?
    Here Every user maintaining Some biological related formulas and statistics reports. The only thing is
    discovered DATA is important
    So what process do you have in place to insure there is no loss of data when (not "if", but "when") something goes wrong.
    So here problem is  every one can start up DB. So we planned to restrict to make all users as
    *" OS authenticated users " because external users don't have SYSDBA privilege.
    Well, there are really two kinds of OS authenticated users. The first kind is what you've been struggling with. "External" users are OS authenticated.
    But the other kind of OS authenticated user is the os user that is a member of the os 'dba' group. Members of that group can connect 'as sysdba'
    Or connect as 'sysoper', which still allows startup/shutdown but otherwise more limited than 'sysdba'.
    So we feel*
    DB will be safe, but the same time  All users are " OS authenticated users" .
    Well, your feelings are not what keeps a database safe.

    I provide " BASIC PRIVILEGE to Every one ( create session , create table ... )

    See here user connected as *$ sqlplus 'ops$rose/rose'*
    user supplying password here .. So i feel supplying passoword is big security hole.
    I asked you before *WHY* you feel that supplying a password is a big security hole. You haven't answered. If you are depending on OS authentication, you are necessarliy depending on someone to log on to the os by supplying an OS username and password. Why is that more "secure" than supplying a username and password to the database?

    Another drawback also for os authentication user ..

    For ex ops$rose is os authenticated user , if OS having another user having rose means
    *rose user can connect as ops$rose"
    What do you mean by "another user having rose"? If you create a database account 'ops$rose' identified externally, then by definition you are saying that OS user 'rose' can connect to the database without supplying any further credentials. And on the OS, all usernames are unique. There cannot be "another" user "rose".
    * The main problem is "they are maintaining DB , kindly help me !!
    IF "they" are maintaining the DB, then again, what is your role and relationship to this?
    Edited by: 952909 on Dec 28, 2012 3:25 AM
  • 64. Re: sqlnet.ora Network Configuration File " parameters  missing"
    955912 Explorer
    Currently Being Moderated
    Hi EdStevens ;

    Every morning they start up database and end of the session they shut the DB.
    Why?

    No one can update any information after their sessions.
    Another one members can't access the DB from outside i.e.
    only from production floor. so no need to run continuously.

    IF "they" are maintaining the DB, then again, what is your role and relationship to this?
    Here "Data growth is not high " If any new joiners , additionally i guide some SQL concepts about oracle env regarding to that project.
    My major role is providing privilege to users (create session , create table ..) and then any request from DB users , i will do that.
    monitoring DB also .

    So what process do you have in place to insure there is no loss of data when (not "if", but "when") something goes wrong.*

    on daily basis i take export/import (backup). No data loss here ..

    Here, i restrict  all os users  i.e  my major role is providing specific privilege to every one.
    Some users having  os authentication , For ex ops$sam
    Why do i restrict ?

    SQL> show user;
    USER is "OPS$SAM"

    SQL> select * from session_roles;
    ROLE
    CONNECT
    DBA
    SELECT_CATALOG_ROLE
    HS_ADMIN_ROLE
    EXECUTE_CATALOG_ROLE
    DELETE_CATALOG_ROLE
    EXP_FULL_DATABASE
    IMP_FULL_DATABASE
    GATHER_SYSTEM_STATISTICS
    SCHEDULER_ADMIN
    WM_ADMIN_ROLE
    JAVA_ADMIN
    JAVA_DEPLOY
    XDBADMIN
    XDBWEBSERVICES
    OLAP_DBA

    16 rows selected.

    Alternative solution i provide like this

    SQL> create user ops$rose identified by rose;
    User created.

    SQL> grant create session to ops$rose;
    Grant succeeded.

    $ sqlplus 'ops$rose/rose'

    SQL*Plus: Release 10.2.0.1.0 - Production on Wed Dec 19 07:10:34 2012
    Copyright (c) 1982, 2005, Oracle. All rights reserved.

    Why i am saying  supplying password is security hole

    If i provide "create session privilege" to users , they have to enter username password like this *'ops$rose/rose'*
    Oracle won't prompt user name and password separately.
    Even we miss 'quotes' , oracle throws "username" and password".

    I tried to make restrictions for sysdba but *"NOT SUCCEEDED"*

    *Local OS authentication setup*

    a) in sqlnet.ora, SQLNET.AUTHENTICATION_SERVICES = ALL
    b) in init.ora, remote_login_passwordfile = NONE
    c) complex password to SYS

    but i can't restrict sysdba privilege. i.e
    *all DB authenticated users can startup conn /as sysdba*

    *what is your role and relationship to this?*

    My role , they asked me to setup Database env for biological professions.
    Once i finished my roles i will leave from that project.
    On daily basis i will do "only backup"

    *Please Note :* _I want to setup SYSDBA privilege only to specific users_
    *Even i make all users as "DB authenticated " how can i SETUP "only specific people" can startup DB. ?*
    Kindly help me to restrict SYSDBA privilege from DB users.

    Thanks EDStevens ;
  • 65. Re: sqlnet.ora Network Configuration File " parameters  missing"
    EdStevens Guru
    Currently Being Moderated
    952909 wrote:
    Hi EdStevens ;

    Every morning they start up database and end of the session they shut the DB.
    Why?

    No one can update any information after their sessions.
    Another one members can't access the DB from outside i.e.
    only from production floor. so no need to run continuously.
    No one without proper authority can update anyway. And one would assume that those with proper authority would not be doing any "unauthorized" updates.

    >
    IF "they" are maintaining the DB, then again, what is your role and relationship to this?
    Here "Data growth is not high "
    What does that have to do with the price of eggs in China?
    If any new joiners , additionally i guide some SQL concepts about oracle env regarding to that project.
    My major role is providing privilege to users (create session , create table ..) and then any request from DB users , i will do that.
    monitoring DB also .

    So what process do you have in place to insure there is no loss of data when (not "if", but "when") something goes wrong.*

    on daily basis i take export/import (backup). No data loss here ..
    Better than nothing, but an export will not protect against physical corruption of the database. You are gambling that your hardware will never fail. I'd like to invest in your hardware vendor, because they have apparently achieved something no vendor has achieved previously.
    Here, i restrict  all os users  i.e  my major role is providing specific privilege to every one.
    Some users having  os authentication , For ex ops$sam
    "Some" users? Why "some"? Why not "all" or "none"? What criteria is used to decide?
    Why do i restrict ?

    SQL> show user;
    USER is "OPS$SAM"

    SQL> select * from session_roles;
    ROLE
    CONNECT
    DBA
    SELECT_CATALOG_ROLE
    HS_ADMIN_ROLE
    EXECUTE_CATALOG_ROLE
    DELETE_CATALOG_ROLE
    EXP_FULL_DATABASE
    IMP_FULL_DATABASE
    GATHER_SYSTEM_STATISTICS
    SCHEDULER_ADMIN
    WM_ADMIN_ROLE
    JAVA_ADMIN
    JAVA_DEPLOY
    XDBADMIN
    XDBWEBSERVICES
    OLAP_DBA

    16 rows selected.
    Looks to me like you haven't restricted ops$sam at all. You've given him a boat-load of very powerful roles. you've given him the keys to everything.
    Alternative solution i provide like this

    SQL> create user ops$rose identified by rose;
    User created.

    SQL> grant create session to ops$rose;
    Grant succeeded.

    $ sqlplus 'ops$rose/rose'

    SQL*Plus: Release 10.2.0.1.0 - Production on Wed Dec 19 07:10:34 2012
    Copyright (c) 1982, 2005, Oracle. All rights reserved.
    And in this "alternative" solution, you've given ops$rose no privileges at all, beyond simply connecting. Once connected there's absolutely nothing he can do. What's the point?
    Why i am saying  supplying password is security hole

    If i provide "create session privilege" to users , they have to enter username password like this *'ops$rose/rose'*
    Oracle won't prompt user name and password separately.
    Oh?

    What do you make of this?
    oracle:orcl$ sqlplus scott
    
    SQL*Plus: Release 11.2.0.1.0 Production on Sat Dec 29 09:22:07 2012
    
    Copyright (c) 1982, 2009, Oracle.  All rights reserved.
    
    Enter password:
    
    Connected to:
    Oracle Database 11g Release 11.2.0.1.0 - 64bit Production
    With the Automatic Storage Management option
    
    SQL>
    Besides, you've only described (not shown) what you think you see. You still did not answer my question of WHY you think password authentication is a "security hole". You are worried (without reason) about password authentication being a security hole, but you are trying to figure out how to give sysdba authority to every Tom, Richard, and Harry in your database.


    Even we miss 'quotes' , oracle throws "username" and password".
    I have no idea what you are trying to say by that statement. "miss 'quotes'"? What do you mean?
    I tried to make restrictions for sysdba but *"NOT SUCCEEDED"*
    Well, I have no idea what you did to "make restriction for sysdba", nor what you expected, nor what command returned "NOT SUCCEEDED".

    >
    *Local OS authentication setup*

    a) in sqlnet.ora, SQLNET.AUTHENTICATION_SERVICES = ALL
    b) in init.ora, remote_login_passwordfile = NONE
    remote_login_passwordfile = NONE means that the only place people will be able to connect with sysdba authority (necessary for a database shutdown/startup) will be from the server that is running the database. Which is considered to be a good thing.
    c) complex password to SYS

    but i can't restrict sysdba privilege. i.e
    *all DB authenticated users can startup conn /as sysdba*
    Show me your proof. Here's mine:
    {code}
    SQL> select AUTHENTICATION_TYPE from dba_users where username='SCOTT';

    AUTHENTI
    --------
    PASSWORD

    SQL> conn scott
    Enter password:
    Connected.
    SQL> shutdown
    ORA-01031: insufficient privileges
    SQL>
    {code}



    >
    *what is your role and relationship to this?*

    My role , they asked me to setup Database env for biological professions.
    Once i finished my roles i will leave from that project.
    And then who maintains this mess?
    who watches for data growth, disk consumption, success/failure of your 'backup' jobs? Who restores the database from a backup?
    On daily basis i will do "only backup"
    And maintain user accounts as users come and go.
    And "monitors the database"

    >
    *Please Note :* _I want to setup SYSDBA privilege only to specific users_
    How do you decide who gets the privilege and who doesn't?
    *Even i make all users as "DB authenticated " how can i SETUP "only specific people" can startup DB. ?*
    Kindly help me to restrict SYSDBA privilege from DB users.
    Actually, I already told you in a previous post.

    Frankly, at this point I'm very reluctant to do anything to help you dig a deeper hole. It looks to me like your organization purchased a Ferrari when all it needed was a VW Beetle, and they want to use it without a trained driver or mechanic.


    >
    Thanks EDStevens ;
    Edited by: EdStevens on Dec 29, 2012 9:45 AM
  • 66. Re: sqlnet.ora Network Configuration File " parameters  missing"
    955912 Explorer
    Currently Being Moderated
    Hi EdStevens ;

    Continuously you are asking about my env but i need solution for our project
    Right now we need solution for security problems for sysdba privilege.

    $ export ORACLE_SID=testdb
    $ sqlplus /nolog

    SQL*Plus: Release 10.2.0.1.0 - Production on Sat Dec 29 21:56:54 2012
    Copyright (c) 1982, 2005, Oracle. All rights reserved.

    SQL> conn sys as sysdba
    Enter password:
    Connected to an idle instance.

    SQL> show user;
    USER is "SYS"

    I want to really restrict this thing only.
    Even i entered wrong password , i can connect my DB and startup my DB.

    Already i mentioned data growth is not high .. So currently no more DBAs not required
    for this project. Currently i have to restrict sysdba privilege from DB users;

    I am in hurry , please understand our situation and kindly
    provide good solution for us .

    Thanks Edstevens
  • 67. Re: sqlnet.ora Network Configuration File " parameters  missing"
    sb92075 Guru
    Currently Being Moderated
    952909 wrote:
    Hi EdStevens ;

    Continuously you are asking about my env but i need solution for our project
    Right now we need solution for security problems for sysdba privilege.

    $ export ORACLE_SID=testdb
    $ sqlplus /nolog

    SQL*Plus: Release 10.2.0.1.0 - Production on Sat Dec 29 21:56:54 2012
    Copyright (c) 1982, 2005, Oracle. All rights reserved.

    SQL> conn sys as sysdba
    Enter password:
    Connected to an idle instance.

    SQL> show user;
    USER is "SYS"

    I want to really restrict this thing only.
    Even i entered wrong password , i can connect my DB and startup my DB.

    Already i mentioned data growth is not high .. So currently no more DBAs not required
    for this project. Currently i have to restrict sysdba privilege from DB users;
    The default Oracle security is that everything is forbidden; except that which is explicitly GRANTed.
    So there is NO concept to "restrict" access.
    If no GRANT is ever issued, then no access is possible.

    With regard to access "as sysdba", it is controlled at the OS group level.
    When OS user is member of "DBA" group, then they can login "as sysdba" without username/password verification.
  • 68. Re: sqlnet.ora Network Configuration File " parameters  missing"
    EdStevens Guru
    Currently Being Moderated
    952909 wrote:
    Hi EdStevens ;

    Continuously you are asking about my env but i need solution for our project
    That's call fact gathering and business analysis. It's what DBA's do.
    Right now we need solution for security problems for sysdba privilege.

    $ export ORACLE_SID=testdb
    $ sqlplus /nolog

    SQL*Plus: Release 10.2.0.1.0 - Production on Sat Dec 29 21:56:54 2012
    Copyright (c) 1982, 2005, Oracle. All rights reserved.

    SQL> conn sys as sysdba
    Enter password:
    Connected to an idle instance.

    SQL> show user;
    USER is "SYS"

    I want to really restrict this thing only.
    Then don't let that OS user be a member of the OS group 'dba'.
    Even i entered wrong password , i can connect my DB and startup my DB.
    Yes, because you've made the os user a member of the os group 'dba'. It's documented all over the web and I mentioned it in an earlier post.
    Already i mentioned data growth is not high .. So currently no more DBAs not required
    for this project.
    The services provided by a dba are not a function of data growth.
    Currently i have to restrict sysdba privilege from DB users;
    Then don't grant it to them. Don't make them a member of the 'dba' group.
    I am in hurry , please understand our situation and kindly
    provide good solution for us .
    If you are unsatisfied with the level of service on this forum you may apply for a full refund of all fees paid for said services.

    >
    Thanks Edstevens
  • 69. Re: sqlnet.ora Network Configuration File " parameters  missing"
    955912 Explorer
    Currently Being Moderated
    Hi Edstevens ;

    why you felt unsatisfied with the level of service on this forum ?

    *Really i don't think so.

    * *"I can't concentrate that project top to bottom that's why i mentioned i am in hurry"*

    I am satisfied with your all replies and justin cave replies also.

    I received Very Responsible answers from you.  Thanks a lot EDstevens !!
  • 70. Re: sqlnet.ora Network Configuration File " parameters  missing"
    EdStevens Guru
    Currently Being Moderated
    952909 wrote:
    Hi Edstevens ;

    Thanks to Fine reply..

    DB env details :

    Database for Research scholars

    They are biological professional not oracle professionals.
    We have different kind of projects. Recently we implemented ORACLE DB to research scholars
    +[local database i.e . Database resides same server]+ That is not a (24*7) domain.
    <snip>

    Something doesn't ring true here. This has been such a long running thread I decided to go back and review the whole thing. (Why am I doing this on a Saturday?)

    Earlier in the thread you talked about
    - " I could n't explain with my juniors",
    - " need to say correct answer to my Juniors "
    - "We have 5 Databases for junior trainers"
    - "As per my senior suggestion"

    Then later you start talking about
    - They are biological professional not oracle professionals.
    - We have different kind of projects. Recently we implemented ORACLE DB to research scholars

    What's going on here?
    Please read the forum FAQ. The link is in the upper right corner of the page you are reading at this very moment.
    Please do not use one thread as a running open help line for whatever is your problem de jour. A thread should focus on one issue and one issue only.
    Your first post of a thread should ALWAYS state what version of Oracle, to at least 4 decimals (that would be like 11.2.0.1. 11g is not a version, it is a marketing term) and edition (Enterprise, Standard, Standard ONE, XE). It should also include the OS, the OS version, and if applicable, the OS edition (Windows 7 Professional, Windows 7 Home, Windows 2008 Server, Oracle Linux 5.7)

    Suggested reading:
    http://www.catb.org/esr/faqs/smart-questions.html
  • 71. Re: sqlnet.ora Network Configuration File " parameters  missing"
    955912 Explorer
    Currently Being Moderated
    Hi Edstevens ;

    Series of problems are put it here . Please don't consider given information's were not true.
    Biological students actually maintained datas iin their EXCEL SHEET then we decided to arrange database
    for biological professionals. My working env and this project entirely different.
    Series of problems are put into one place .. this is reason  you felt  Something doesn't ring true here.

    Edited by: 952909 on Dec 29, 2012 12:02 PM
  • 72. Re: sqlnet.ora Network Configuration File " parameters  missing"
    955912 Explorer
    Currently Being Moderated
    +" We have 5 Databases for junior trainers" Sorry for keying Error+
    i.e. instead of  Trainees (New Joiners) "


    To Edstevens :
    Every time when answering question , Did u suspect us ?
    All problems were gathered and put into single thread because of we needed solution very shortly.

    It's my mistake to post all problems into single thread. I am extremely sorry making you thought like that .

    Thanks !!
  • 73. Re: sqlnet.ora Network Configuration File " parameters  missing"
    955912 Explorer
    Currently Being Moderated
    Hi Edstevens ;

    Again i want to continue few things in this thread. Please try to provide good solution to me.
    Same OS authentication but too much confusion when checking permissions.

    Problem is  dba vs oinstall

    This is related to oracle as well as some os related security problems. please clarify it.
    I tried but couldn't solve it

    MAY I start with new thread  from following link
    Installation

    Edited by: 952909 on Jan 5, 2013 4:06 PM
  • 74. Re: sqlnet.ora Network Configuration File " parameters  missing"
    sb92075 Guru
    Currently Being Moderated
    how many threads do you plan on spamming folks?

    Re: Problemm with dba group vs oinstall group

    http://www.orafaq.com/forum/t/185565/136107/

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points