Locked SYS and SYSTEM user

Similar Messages

• Lock sys and system user

  Dear all,
  We have 10.2.0.4 on solaris 10.
  Currently we had I.T audit on our environment and auditor commented to lock sys and system user and use one user with any name (not oracle generic name) and grant him sys and system privilege and to use this user for admin purposes. is this right ?.. is this recommended ?
  Please advise

  Hello,
  I think it's not a right way to lock SYS.
  More over, if you connect as OS Administrator (root for Unix/linux) on the server and use
  OS Authentification then, you can connect on SYS AS SYSDBA anyway.
  So, in fact, it's not possible to lock out SYS even if you execute the following:
  ALTER USER SYS ACCOUNT LOCK;If you want to prevent access on SYS you should set a complex and long password and
  apply the same rule for the Administrator / root OS user.
  These passwords must be known by very few and well - identified people and written nowhere
  (in any files or scripts).
  More over, you should limit DBA roles to SYS and SYSTEM and remove this powerful Role
  from other Oracle Users.
  Then, you may enable session AUDIT so as to control the connexion on the database and,
  create a LOGON TRIGGER so as to check the login, workstation, program of the end users
  who connect to the database.
  On 10g, EM DBConsole shows an alert everytime a User is connected with SYS.
  Please, find enclosed, an interesting document written by Pete Finigan on this topic:
  http://www.insight.co.uk/files/presentations/Hacking%20and%20securing%20Oracle.pdf
  Hope this help.
  Best regards,
  Jean-Valentin

• SYS and SYSTEM user password expired

  My 11g2 database on Redhat 5 has sys and system user password expiredSQL> select username,account_status,EXPIRY_DATE
  from dba_users where username like 'SYS%';
    2
  USERNAME                       ACCOUNT_STATUS                   EXPIRY_DA
  SYSMAN                         OPEN
  SYSTEM                         OPEN                             15-FEB-11
  SYS                            OPEN                             15-FEB-11But I can still connect the databsae with t expired password.
  Do I need worry about the expiration of these user's password? For a normal user, I connot login with expired password

  Dear user13148231,
  Here is an illustration;
  SQL> alter user sys account lock;
  User altered.
  SQL> select username, account_status, lock_date, expiry_date from dba_users where USERNAME='SYS';
  USERNAME                      ACCOUNT_STATUS                   LOCK_DATE EXPIRY_DA
  SYS                                      LOCKED                           20-AUG-10      23-FEB-09
  SQL> host sqlplus sys/password@opttest as sysdba
  SQL*Plus: Release 10.2.0.4.0 - Production on Fri Aug 20 12:25:43 2010
  Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.
  Connected to:
  Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
  With the Partitioning, OLAP, Data Mining and Real Application Testing options
  SQL> exit
  Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
  With the Partitioning, OLAP, Data Mining and Real Application Testing options
  SQL> alter user sys identified by password password expire;
  User altered.
  SQL> select username, account_status, lock_date, expiry_date from dba_users where username='SYS';
  USERNAME                      ACCOUNT_STATUS                   LOCK_DATE EXPIRY_DA
  SYS                                EXPIRED & LOCKED                 20-AUG-10   20-AUG-10
  SQL> host sqlplus sys/password@opttest as sysdba
  SQL*Plus: Release 10.2.0.4.0 - Production on Fri Aug 20 12:27:02 2010
  Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.
  Connected to:
  Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
  With the Partitioning, OLAP, Data Mining and Real Application Testing options
  SQL> exit
  Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
  With the Partitioning, OLAP, Data Mining and Real Application Testing options
  SQL> alter user sys identified by password account unlock;
  SQL> select username, account_status, lock_date, expiry_date from dba_users where username='SYS';
  USERNAME                       ACCOUNT_STATUS                   LOCK_DATE EXPIRY_DA
  SYS                            OPENEven if it shows expired and locked it is OK to connect to the database for the SYS user.
  SQL> alter user ogan identified by password account lock password expire;
  User altered.
  SQL> select username, account_status, lock_date, expiry_date from dba_users where username='OGAN';
  USERNAME                       ACCOUNT_STATUS                   LOCK_DATE EXPIRY_DA
  OGAN                           EXPIRED & LOCKED                 20-AUG-10 20-AUG-10
  SQL> conn ogan/password
  ERROR:
  ORA-28000: the account is locked
  Warning: You are no longer connected to ORACLE.
  SQL> conn / as sysdba
  Connected.
  SQL> alter user ogan account unlock;
  User altered.
  SQL> conn ogan/password@opttest
  ERROR:
  ORA-28001: the password has expired
  Changing password for ogan
  New password:
  Retype new password:
  Password changed
  Connected.
  SQL>Ogan

• Profiles apply to SYS and SYSTEM users

  dear all.
  is possible configure the security policies (profiles), i mean password length, history, failed login attempts for SYS and SYSTEM users in oracle 10g.
  What will happen if both users blocked ?? the service would be affected ???
  what would you recommend me ?
  thanks for your answers and apologize my english, is not very well.

  Check here:
  SYS account cannot be locked out by setting the failed_login_attempts limit in the profile.
  is it possible to lock out SYS using FAILED_LOGIN_ATTEMPTS in a profile
  http://www.petefinnigan.com/ramblings/failed_login_attempts.htm
  -Anantha

• When creating application: SYS and SYSTEM users may not create applications

  Dear all,
  When i am performing the below mentioned operations
  1) Importing Application
  2) Create Application
  3) Create from Spreadsheet
  4) Demonstration Application
  am getting this error message
  "SYS and SYSTEM users may not create applications"
  Please do the needfull

  Create application using SYS or SYSTEM user is not good idea. Your objects will be created in SYSTEM tablespace, it's fatal option. Create new Workspace and create there your app.

• Difference between SYS and SYSTEM user

  Hi,
  Well, one of my colleagues have asked me the difference between SYS and SYSTEM user .. Normally these are the users which will be under the monitoring of the DBA .. So, how could I know the difference between these two users ..
  Please assist me
  Regards

  SYS is the owner of the database and the owner of the data dictionary.
  The objects belonging to SYS cannot be exported. But SYS has the SYSDBA privilege which SYSTEM doesn't.
  SYSTEM is a privileged administration user, and typically owns Oracle provided tables other than the dictionary.
  SYSDBA is not a role, it is a privilege. You'll find it in system_privilege_map, not in dba_roles.

• Forgotten Sys and System user passwords

  In the case of forgetting the Sys and the System user passwords, is there anyway of logging on with privilages to be able to change these passwords, if not, are there any other solutions?
  Thanks,
  Nick

  In order for "/ as sysdba" to work, you need to run
  the password file creation utility (orapwd).
  No, it has nothing to do with the password file. In order for "connect / as sysdba" to succeed, it is necessary to have an operating system account which is a member of the "osdba group". In Windows, this OS group is : "ORA_DBA". Any member of this group can and has privileges to connect "/ as sysdba". Again, it has nothing to do with password file.
  In Windows there is another condition for it to work :
  The file %ORACLE_HOME%\network\admin\sqlnet.ora must have the following line :
  SQLNET.AUTHENTICATION_SERVICES= (NTS)
  In Unix systems, the osdba group is configured at installation and is conventionally named "dba".

• Grants from SYS and SYSTEM user

  Hi All,
  Please help me to understand this problem.
  I have some schema named maps_ref where I am creating a view.( table abc ,view abc01).
  Here I have granted the create view,create any view privs to maps_ref by connecting SYS as SYSDBA.
  It alllowed me to create the view.
  Just as a try, I revoked the privs by connecting as SYSTEM and it revoked the privs granted by SYS as SYSDBA.
  Later obviously I could not create the view.
  Does it mean that grants given by SYS as SYSDBA can be taken back from SYSTEM though SYSDBA is more powerful then SYSTEM?
  I am little bit confused how it worked? Please explain.
  Rgds,
  Aashish

  Hi,
  SYS isnt normal user and you are not able to connect without clause SYSDBA.
  sqlplus sys@test
  SQL*Plus: Release 11.1.0.7.0 - Production on Wed Apr 8 09:48:37 2009
  Copyright (c) 1982, 2008, Oracle. All rights reserved.
  Enter password:
  ERROR:
  ORA-28009: connection as SYS should be as SYSDBA or SYSOPER
  Enter user-name:
  sqlplus sys@test as sysdba
  SQL*Plus: Release 11.1.0.7.0 - Production on Wed Apr 8 09:48:55 2009
  Copyright (c) 1982, 2008, Oracle. All rights reserved.
  Enter password:
  Connected to:
  Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
  With the Partitioning, OLAP, Data Mining and Real Application Testing options
  SQL>
  Regards,
  Tom
  http://oracledba.cz

• Prevent imports to sys and system users

  I work at a company who develops an Application the uses an Oracle database. Many times we receive a full system export. I want to prevent my users from importing all the schema's, and just import from the schema that contains our data. Since the user name of the export is different from the user that does the import, I have granted them the IMP_FULL_DATABASE right. Almost all our customers use the same name for the schema, so if we want to look at the data of more then one customer, we need to import to another schema.
  I am running two test servers, one for Oracle 10 and one for Oracle 11 on Oracle Linux. And I am already using one separate account to let them import and export the data, and to create the user.
  Is there a way to prevent users from importing to the system, sys and other oracle schema's, without limiting schema imports of other Oracle servers?

  If you know which schema data you want to import into your database from the export dump , you can use shema leavel import . Also if you are using datapump you can use remap schema option.
  Thanks and Regards,
  Satish.G.S
  http://gssdba.wordpress.com

• Sys and system schema are expired & locked after doing disaster recovery.

  Hi All,
  In one of our development database, I performed disaster recovery and it was successfull.
  After completing thre recovery, sys and system schema are expired & locked.
  So, I am not able to perform any kind of operation which is performed by sys and system user.
  Database Version : 11g r2
  Operating system : Red hat 5.5
  Please kindly suggest me, How can i solve this problem?
  Thanks,
  Viren Patel.

  This is some sort of a mirracle. SYS even if expired and locked - can login:
  SQL> SELECT d.username, u.account_status
    2  FROM DBA_USERS_WITH_DEFPWD d, DBA_USERS u
    3  WHERE d.username = u.username and u.username=’SYS’
    4  ORDER BY 2,1;
  USERNAME                       ACCOUNT_STATUS
  SYS                            OPEN
  SQL> alter user sys account lock;
  User altered.
  SQL> alter user sys password expire;
  User altered.
  SQL> quit
  Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
  With the Partitioning, OLAP, Data Mining and Real Application Testing options
  C:\Tools\Oracle\scripts_oracle>sqlplus sys/manager as sysdba
  SQL*Plus: Release 11.2.0.1.0 Production on Mon Feb 20 17:09:14 2012
  Copyright (c) 1982, 2010, Oracle.  All rights reserved.
  Connected to:
  Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
  With the Partitioning, OLAP, Data Mining and Real Application Testing options
  SQL> SELECT d.username, u.account_status
    2  FROM DBA_USERS_WITH_DEFPWD d, DBA_USERS u
    3  WHERE d.username = u.username and u.username=’SYS’
    4  ORDER BY 2,1;
  USERNAME                       ACCOUNT_STATUS
  SYS                            EXPIRED & LOCKEDPlease, show us exact connection string and an error you are getting, while logging in.

• HT4796 I did all of the above and the migration was successful, but I don't know where the files are.  It says they're under a different user, 'owner' .  I tried to access via sys pref/system/users&groups, but it asks for a password for owner which I don'

  Migration Assit , PC to MAC - The migration was successful, but I don't know where the files are.  It says they're under a different user, 'owner' .  I tried to access via sys pref/system/users&groups, but it asks for a password for owner which I don't have.  What must I do to access my files?
  My experience is with MS PC's I'm new with the MAC Book Pro.

  Then, see if this works:
  Mac OS X 10.6 Help- If you forget your administrator password
  If you are running Lion or Mountain Lion you may need to do the following to access the same utility:
  Boot to the Recovery HD:
  Restart the computer and after the chime press and hold down the COMMAND and R keys until the menu screen appears. Alternatively, restart the computer and after the chime press and hold down the OPTION key until the boot manager screen appears. Select the Recovery HD and click on the downward pointing arrow button.
  When the menubar appears select Terminal from the Utilities menu. Enter resetpassword at the prompt and press RETURN. Follow instructions in the dialog window that will appear.
  Or see Reset a Mac OS X 10.7 Lion Password and OS X Lion- Apple ID can be used to reset your user account password.

• Starting up a database when I forgot the sys and system password

  Hi,
  I want to startup up a database from Oracle Entreprise Manager. I forgot the sys and system password.
  If I give the command:
  orapwd file=orapwSDB01 password=test entries=100
  can I give the password "test" to sys and then to connect with sys with password test as sysdba, and then to startup the database? Are any problems with this command?
  Thank you,
  Mihaela

  Hi,
  I have not done this myself, but YES, according to the documentation, thats correct.
  ORAPWD FILE=mypwdfile PASSWORD=syspass ENTRIES=10
  will set the password of SYS to syspass. And you can use the same further.
  But here, you should be in oracle user or the user which owns the Oracle installation.
  Also, OS authentication is always supperior than any other authentication.
  Regards

• Restrication on using sys and system tables.

  I have created the user in oracle 10g, granted resource , connect , select, insert, and update any table
  I would like to restrict the user from modifying sys and system tables.
  I know , it is possible using triggers. but it will create perofrmance issues
  Any other solution , please let me know

  user8680248 wrote:
  user wants this priv ( user is super user ) but user is not DBAYou say the user is not a "super user" and is not a DBA.
  Then he doesn't get what he "wants", he gets the minimum privs required to do his job. And it's the job of the DBA (presumably you) to enforce that policy. The technical issues are simple. The political ones are often difficult, but as a DBA that, too, is part of your job. It's YOUR job that will be on the line if you put the company's data at risk by granting someone excessive privileges on the database..
  Edited by: EdStevens on Feb 8, 2010 6:33 AM

• Encrypt sys and system tables

  How to encrypt/restrict sys and system tables so that no user can view them.
  On one of the database few user are having dba access.
  Is it possible to restrict their access on the dictionary tables.

  I have not heard of anyone encrypting the sys and system schemas, and suspect it is not possible due to the number of tools that need access to these tables and views (OEM, RMAN etc)
  Maybe the application needs to run "create user" or "select * from v$session", but this does not mean that it needs DBA role. Turn on tracing or auditing to find out what priveleges the application actually needs, then grant minimum priveleges and revoke DBA.
  In the worst case if the application won't start unless it has been granted a role called "DBA" then you may be able to revoke all priveleges from the DBA role and then grant them via a custom role called "MY_DBA", but there is potential for this to go very wrong, so test in a DEV environment first, and I doubt Oracle Support would approve.
  Or you could use Database Vault ....

• Unable to create new user when logged as SYS or SYSTEM user. Oracle 11g

  Hello I installed oracle 11g databse. The installation went OK.
  But when I tried to create a new user or alter an existing I always got "ORA-01031: insufficient privileges".
  However I was able to alter SYS user when I was loged in as SYS or SYSTEM user when I was loged in as SYSTEM.
  I am also able to create new tables, drop tables, query tables, create and drop synonyms and all other things except manipulate with users;
  Can anybody tell me where could be the problem?
  Thanks a lot in advance.
  Message was edited by:
  user609545

  I have checked the roles DBA, RESOURCE..(I am sorry byt I dont know what is role CREATE). SYS user has all these roles with admin option and default checked.
  I am using oracle Enterprise manager, but I dont know where should I click on the red mark? Where can I find it?