Q about  SYSDBA and SYSOPER privileges

Similar Messages

• Difference between Sysdba and Sysoper

  Hi,
  While connecting with SYS what is the difference between connecting as Sysdba or Sysoper.
  Thanks in advance.

  SYSOPER is less privileged than SYSDBA.
  SYSDBA can only create a database, but SYSOPER cannot issue CREATE DATABASE command. This is the one difference i know, but there are some 2 or 3 more differences, i guess.

• To know about sysdba

  hi friends,
  i have one question, if any user connect as sysdba, how can we restrict as connect as sysdba
  eg. connect scott/tiger as sysdba
  now scott can change any table or view of sysdba and drop any table
  how it can consider it bcoz any user can connect as sysdba then it be problem,
  pls tell me is there is any solution or how we can prevent any user to connect as sysdba
  thanks in advance

  Subject: ORA-01005: Connect Username AS SYSDBA Behaves Differently in 7.3.4, 8.1 and 9.2
  Doc ID: Note:243083.1 Type: PROBLEM
  Last Revision Date: 25-AUG-2003 Status: PUBLISHED
  Symptom(s)
  ~~~~~~~~~~
  When logged in the OS as the oracle binary owner and CONNECT AS SYSDBA with an
  ordinary database username, is the password required ?
  --> in 9.2 : NULL value or any value is allowed
  --> in 8.X.X : NULL value results in an ORA-01005 error
  --> in 7.3.4 : NULL value results in an ORA-01017 error
  Different Possibilities
  9.2.X
  $ id
  uid=127(ora92) gid=101(dba)
  $ sqlplus /nolog
  SQL*Plus: Release 9.2.0.3.0 - Production on Thu Jul 3 12:23:09 2003
  Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
  SQL> connect scott as sysdba
  Enter password: (enter NULL or any value)
  Connected.
  SQL> connect / as sysdba
  Connected.
  8.X.X
  $ id
  uid=118(ora817) gid=101(dba)
  $ sqlplus /nolog
  SQL*Plus: Release 8.1.7.0.0 - Production on Thu Jul 3 12:13:50 2003
  (c) Copyright 2000 Oracle Corporation. All rights reserved.
  SQL> connect scott as sysdba
  Enter password: (NULL value)
  Enter password:
  ERROR:
  ORA-01005: null password given; logon denied
  SQL> connect / as sysdba
  Connected.
  7.3.4
  $ id
  uid=164(ora734) gid=101(dba)
  $ svrmgrl
  SVRMGR> connect scott as sysdba
  Password: (NULL value)
  ORA-01017: invalid username/password; logon denied
  SVRMGR> connect / as sysdba
  Connected.
  Change(s)
  ~~~~~~~~~~
  7.3.4
  SVRMGR> connect scott/tiger as sysdba
  Connected.
  SVRMGR> connect scott/t as sysdba
  Connected.
  SVRMGR> connect scott as sysdba
  Password: (Entered tiger)
  Connected.
  SVRMGR> connect scott as sysdba
  Password: (Entered t)
  Connected.
  SVRMGR> connect as sysdba
  Username: (NULL value)
  Connected.
  SVRMGR> connect as sysdba
  Username: /
  Connected.
  SVRMGR> connect as sysdba
  Username: (NULL value)
  Connected.
  SVRMGR> connect as sysdba
  Username: scott
  Password: (NULL value)
  ORA-01017: invalid username/password; logon denied
  8.X.X
  Any database user when the OS user belongs to the dba group can connect as
  sysdba as long as the user provides his user password :
  SQL> connect scott/tiger as sysdba
  Connected.
  SQL> connect scott/t as sysdba
  Connected.
  SQL> connect scott as sysdba
  Enter password: (Entered tiger)
  Connected.
  SQL> connect scott as sysdba
  Enter password: (Entered t)
  ERROR:
  ORA-01017: invalid username/password; logon denied
  SQL> connect as sysdba
  Enter user-name: /
  ERROR:
  ORA-01017: invalid username/password; logon denied
  SQL> connect as sysdba
  Enter user-name: (NULL value)
  SP2-0306: Invalid option.
  Usage: CONN[ECT] [logon] [AS {SYSDBA|SYSOPER}] | [INTERNAL]
  where <logon> ::= <username>[<password>][@<connect_string>] | /
  SQL> connect as sysdba
  Enter user-name: scott
  Enter password:
  Enter password:
  ERROR:
  ORA-01005: null password given; logon denied
  Only the username's password is allowed in 8.X.X when not passing it in the
  connect string.
  9.2
  You can enter any value for the password or null value: it connects.
  All cases work , except when you do not provide any username:
  SQL> connect as sysdba
  Enter user-name: (NULL value)
  SP2-0306: Invalid option.
  Usage: CONN[ECT] [logon] [AS {SYSDBA|SYSOPER}]
  where <logon> ::= <username>[<password>][@<connect_string>] | /
  Cause
  ~~~~~
  When your OS login is the oracle binary owner, Oracle checks the O/S
  authentication and not the database user name.
  So whatever you put as username, it ignores and allows you to login as SYSDBA.
  Fix
  ~~~~
  An ordinary user should not be able to log in the server as the oracle binary
  owner account.
  Be careful which OS users are members of the Unix 'OSDBA' or 'OSOPER' groups
  or which NT users are members of the 'ORA_<sid>DBA' or 'ORADBA' groups when
  using O/S authentication.
  References
  ~~~~~~~~~~~
  Bug 2869802 DATABASE ALLOWS NULL PASSWORD WHEN CONNECTING AS SYSDBA
  Note 242258.1 Misconceptions About the AS SYSDBA login With any Username
  Note 50507.1 SYSDBA and SYSOPER Privileges in Oracle (UniX and NT)

• Confusion about 'sysdba'; random user/password logs in as 'sysdba'

  Hi everybody,
  I just installed oracle 9.2 enterprise edition. My problem is that i created a database after completing the installation and it seems that any random username/password is accepted if entered with 'as sysdba' option in sqlplus editor as well as the Enterprise Manager Console. Even if I type
  conn dseane/fdgdsg as sysdba
  it logs in successfully as sysdba.
  I want to take disable that feature. Can anybody please help me out here??
  Also, can anybody please tell me the difference between 'sysdba' and 'sysoper'?
  Thanks in advance,
  Andy x

  There is in fact a little more to it than that.
  The default authentication mechanism for SYSDBA is by OS Group, which in this case is provided by the NTS mechanism [ i.e  standard WIndows Call  ]
  If you created a bog-standard Win2K user with no group memberships then you would not be able to do this.
  It is worth reading up on why this is the case. Have a look at the Windows Platform Guides.

• SYSDBA & SYSOPER privileges

  Upon database creation, user SYS is created with the SYSDBA system privilege and user SYSTEM is created with the SYSOPER system privilege. It is possible to grant the privilege to other users as long as you are logged in as SYS AS SYSDBA. The problem is that before my arrival to my company someone went in and revoked the SYSDBA privilege from SYS and the SYSOPER privilege from SYSTEM. No user within the database holds these privileges anymore. Is it possible to regain the SYSDBA & SYSOPER privilege for SYS without having to recreate the database??? The SYSDBA privilege is not even possible to grant to SYS since I obviously have to log in as SYS AS SYSDBA but can't since the privilege was revoked. Any ideas???

  Michael, lets start from scratch here b/c some of your assumption are off. SYS and SYSTEM are not granted SYSDBA or SYSOPER by default.
  You can "connect internal" which gives you SYSDBA privs. Set up a password file using the "orapwd" executable and in the init.ora file set remote_login_passwordfile = exclusive. When you connect you will become SYS in the database and have the SYSDBA privilege.
  Or simple connect to the operating system with a unix user that is in the group designated as "OSDBA" - the name of the UNIX group is probably "dba". Then you can "connect internal" or "connect / as sysdba". When you connect you will become SYS in the database and have the SYSDBA privilege.
  HTH,
  Aaron Newman
  Database Security Consultant

• Error ORA-28009: connection as SYS should be as SYSDBA or SYSOPER

  hi,
  i try to connect to oracle in c#2005. I'm using oralce 10.2.0.3.0 in window vista.
  i can connect as user scott , but can't do the same thing with use sys like sysdba. i encouter error :
  "ORA-28009: connection as SYS should be as SYSDBA or SYSOPER"
  this is my code :
  using System;
  using System.Data.SqlClient;
  using System.Data.OleDb;
  namespace ConsoleApplication2
  class Program
  static void Main(string[] args)
  string connectionString = "provider=MSDAORA;data source=ORCL;user id=sys;password=orcl";
  OleDbConnection myOleDbConnection = new OleDbConnection(connectionString);
  try
  myOleDbConnection.Open();
  Console.WriteLine("successfull");
  Console.ReadLine();
  catch (Exception ex)
  Console.WriteLine(ex.Message);
  Console.Read();
  i
  i have google about this error and see that some people use Oracle.DataAccess.Client namespace to solve this error. but i cant find this namespace reference.
  i want to connect to oracle in c# 2005 as user id = sys.
  so , please help me.
  thanks

  it should be there regardless of the version you installed, go into your GAC and give it a look over (C:\Windows\assembly) the Oracle.** should be there after a successful installation. It is actually in your best interest to get the latest and greatest, the versions are backward compatible (I believe they all work to 9i++)
  You can also goto
  %ora_home%\odp.net
  it will have sample c# and vb applications there
  (%ora_home% tends to be c:\oracle\product\#####\Client_1\)
  Have a look over the odp.net demos, that may very well put you on the correct track to getting things working.

• Oracle users and revoking privileges

  Hello,
  To test out some error conditions in an application, I'd like to temporarily revoke a privilege on a table from a database user.
  I am trying to do that, logged into SQL*Plus as "sys" or "system", and running the command:
  REVOKE UPDATE ON USERX.TABLE_A FROM USERX;
  However, this is failing with the following message:
  ORA-01927: cannot REVOKE privileges you did not grant
  I've also tried logging into my server as oracle, typing "sqlplus /nolog" at the command line, then "connect internal as sysdba;" from the SQL*Plus prompt, and then running the REVOKE command, but that results in the same error message.
  So basically my question is: if neither the "sys" nor the "system" user is able to revoke the privilege from the "userx" user (because they did not specifically grant it), how would I determine which oracle user would be able to do this? Or how else would I go about revoking the privilege?
  I'm running Oracle8i Enterprise Edition Release 8.1.6.1.0 on Linux.
  Thanks for your help with this. I am not very familiar with Oracle DBA concepts.

  Hello,
  I am fully agree with Eric....Yes! a User created a table means...the User is OWNER of the table....and that means......the User is by default having the privilege of DML operations...i belive...OK
  And the privilege which you have not granted...then how could you revoke them...Whether it may b e SYS or SYSTEM or for that matter any User a/c.
  If you really want to restrict the restrict option on table owned by your User, then i can suggest to put a Schema Level Trigger on DML action. This will be fired when update in invoked on table by the user and there you can have your STOP mechanism.....BUT..this is not really suggested.
  Regards,
  Kamesh Rastogi
  Oracle - DBA

• Oper account not created but how can i get sysoper privilege

  Hello Everyone ;
  Hello Everyone ;
  When installing oracle i did not create oper account.
  now  i am checking my personal database;
  SQL> show user;
  USER is "SYS"
  SQL> select * from system_privilege_map where name like '%SYS%';
  PRIVILEGE  NAME      PROPERTY
    -3    ALTERSYSTEM    0
    -4    AUDIT SYSTEM  0
    -83    SYSDBA        0
    -84    SYSOPER 0
  SQL> select count(*) from session_privs;
    COUNT(*)
    166
  >> Connecting as sysoper
  I   can connect  SYS  /as SYSOPER  but  this  session has only 3 privilegs - why ?
  SQL> conn /as sysoper
  Connected.
  SQL> select count(*) from session_privs;
    COUNT(*)
    3
  SQL> select * from system_privilege_map where name like '% SYS%';
  PRIVILEGE NAME PROPERTY
    -3  ALTER SYSTEM  0
    -4  AUDIT SYSTEM  0
  SQL> select * from session_privs;
  PRIVILEGE
  CREATE SESSION
  RESTRICTED SESSION
  SYSOPER
  SQL> show user;
  USER is "PUBLIC"
  SQL> shut immediate;
  Database closed.
  Database dismounted.
  ORACLE instance shut down.
  Even i did NOT create oper account for sys user then how can i get all sysoper privilege for public user.

  Thanks for quick response;
  http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:2659418700346202574
  sysoper is another role, if you connect as sysoper, you'll be in a schema "public" a
  i am getting confused  from  given link and your answer.
  because  system is displaying  USER is "PUBLIC" .
  when i review  (See $ORACLE_HOME/rdbms/lib/config.c in your installation).
  /*  SS_DBA_GRP defines the UNIX group ID for sqldba adminstrative access.  */
  /*  Refer to the Installation and User's Guide for further information.  */
  #define SS_DBA_GRP "dba"
  #define SS_OPER_GRP "dba"
  char *ss_dba_grp[] = {SS_DBA_GRP, SS_OPER_GRP};
  ~
  I am sorry for comparing both replies.
  please clarify little more.

• System and Object privileges question

  hello everyone.
  I was really making it a priority to really understand both system and object privileges for users. I have setup a couple of 'sandboxes' at home and have done lots of testing. So far, it has gone very well in helping me understand all the security involved with Oralce (which, IMHO, is flat out awesome!).
  Anyway, a couple of quick questions.
  As a normal user, what view can I use to see what permissions I have in general? what about permissions on other schemas?
  I know I can do a:
  select * from session_privs
  which lists my session privileges.
  What other views (are they views/data dictionary?) that I can use to see what I have? Since this is a normal user, they don't have access to any of the DBA_ views.
  I'll start here for now, but being able to see everything this user has, would be fantastic.
  Cheers,
  TCG

  Sorry. should have elaborated more.
  In SQLPLUS, (logged in while logged into my Linux OS), I am working to try and get sqlplus to display the results of my query so it is easy to read. Right now, it just displays using the first 1/4 or 1/3 of the monitor screen to the left. Make sense? So it does not stretch the results out to utilize the full screen. it is hard to break down and read the results because they are "stacked" on top of each other.
  Would be nice if I could adjust sqlplus so the results are easier to read.
  HTH.
  Jason

• How to get SYSDBA or SYSOPER credentials

  Hi,
  I am having SYS credentials. But I want to know SYSDBA or SYSOPER credentials.
  How can I check in Database to get them?
  DB:11g.
  I am trying to connect using windows GUI it is asking for anyone of those SYSDBA or SYSOPER credentials

  Hulk wrote:
  I have newly set up my Oracle 11g Database under 'administrator' account in new Windows2008 Server.
  From my oracle batch jobs I am trying to connect DB as shown: SQLPLUS /@%DBName%
  as this line it is throwing logon denied - error message.
  My Old DB is 8i and Server is WindowsNT ,user account ='zadministrator'.
  Why was it throwing error?Unfortuntately you did not show us the actual error message. Instead you chose to give us your interpretation of it. "logon denied" could be a lot of things. An actual error message, including the ora-nnnn number will tell us what it is.
  And you didn't tell us if you tried this connection from the database server or a client machine.
  Copy and paste from a command session is a wonderful thing, but only if you use it.

• Login as SYSDBA or SYSOPER

  Can OO4O connect with SYS as SYSDBA or SYSOPER. we have certain scripts that run with 'sys' username only. This needs to be executed when an adminsitrator clicks a button on our website. I tried the following:
  Set OraDatabase=OraSession.OpenDatabase("oadv", "sys/syspassword as SYSDBA", 0)
  But it says "Invalid user name"
  Any help would be appreciated.

  Connect to the dataabse as SYSTEM and prefix database table query with the SYS schema.
  SYS.<table>

• Connect as SYSDBA or SYSOPER

  Does anyone have a sample on how to connect as either SYSDBA or SYSOPER through 0040?
  Thank you in advance,
  Ben

  Hi,
  First, from the 8.1.7 CD, install the 8i Management Server components option. This will install the management server componenents on your disk.
  Then from the Enterprise Manager menu, run the configuration assistant, which will create the Management server service for you (NT) and create a repository.
  The connect from the Enterprise Manager Console and connect using SYSMAN and password oem_temp. From the Menu, select discoverer/refresh node. Then you have to add the database to the node (it will be detected automatically from server running the Management server or the Intelligence Agent. )
  Then you can connect to the database using sys/<password> and choose SYSDBA role !
  Hope this helps
  Deepak
  i could only connect as NORMAL. i don't have a management server.
  or do i have to log as administrator in order to connect as SYSDBA or SYSOPER?

• Comprehensive Information about User and Objects

  Hello,
  This is on 9i
  Which tables /views I can use to derive following information?
  1.Owner Name/User Name
  2.Objects owned by the user
  3.Privileges assigned
  4.Roles assgined
  5.Whether user has admin privileges
  6.whether user is grantor to other user
  7.whether user is grantee by other user
  8.tables privileged
  9.columns privileged
  10.whether user has ISDBA/ISOPER roles
  11.recent login attempts
  12.last password reset date
  Thanks,
  R

  This is kind of an odd forum post, especially given that you listed twelve general questions. It almost seems like a homework assignment :)
  With that in mind I'll give you the general instructions that you should follow before posting any other questions on the forum.
  Go to http://tahiti.oracle.com
  Then click on your version. This will bring you to all the documentation for the version you have chosen. In this case the following books may be a good place to start:
  Database References (this lists all the views in the database)
  Administrator's Guide (will have information about permissions and other administrative tasks)
  Security Guide
  HTH!

• Is there another way of getting apps from the appstore without putting your credit card number in, ive heard about the itunes gift card thing can anybody just give me more info about that and how i can buy free things free things from the appstorepls help

  Is there another way of getting apps from the appstore without putting your credit card number in, ive heard about the itunes gift card thing can anybody just give me more info about that and how i can buy free things free things from the appstore...pls help as im only a teenager and have no credit credit and my parents dont trust me with theres and they dont care about the fact that you can set up a password/.... PLEASE SOMEONE HELP I WILL BE SO GRATEFUL... And i would really like to get the iphone 4 but if there is no way of etting apps without your credit number then i would have to get a samsung galaxy s3 maybe ...

  You can set up an Apple ID without a credit card.
  Create iTunes Store account without credit card - Support - Apple - http://support.apple.com/kb/ht2534

• My homepage will load about 30% and then i'm dead in the water. when i close firefox it appears to close but when i try to reopen it tells me that it's already running. started with beta 6 i deleated and loaded ver 5 no change

  when i start firefox, everything starts normal then my homepage (igoogle) starts to load, gets to about 30% and stops. from there i can click on links or bookmark and a new tab will open but no page will load. i can't get anywhere. then when i close firefox it appears to close normally but when i try to reopen firefox i get a message that firefox is still running but not responding and the only way to shut it down is to reboot. when it first occured i was running beta 6 (since it became available, i also used beta 4 & beta 5) i then uninstalled beta 6 and downloaded and installed ver 5 same problem. i then did a system restore to a time before the problem.. no luck. i'm not sure what to try next. IE & chrome both work fine

  I'm in exactly the same boat - dead at blue screen, only option is to salvage using target mode.
  I don't currently have access to another Mac to do target mode. I was planning to buy a new Mac this fall anyway, though. 2 questions in preparation for that purchase:
  1) Is there anything I can do before buying a new Mac to make the salvage process more successful? ie, should I spend the time and money going to the genius bar to have them help me get from totally crippled to partially crippled? (As for expertise, I'm a proficient consumer-grade user, but Apple Support walked me through the safe-boot process, etc.)
  2) Is Apple going to provide 10.5 once it is released to people who buy a new Mac in these 6 weeks pre-release?
  Thanks for your help,
  Bailey