 |
The Largest Online Resource for Oracle Articles, Oracle Tips, Oracle Scripts & Oracle Tools!!
|
|
Author: Burleson SYS Account:In Oracle, the SYS and SYSTEM accounts are created automatically and DBA role is granted to them. SYS account has the highest access to the database. The SYS user is able to perform different activities such as creating users, startup, shutdown etc. The security of SYS account is very critical. It is not recommended that database users be able to connect using the SYS account or any malicious user can shutdown your entire database. Be careful while assigning UNIX Users to DBA Group: In some scenarios it is possible for a user to login to SYS account without knowing the password. For example the user can login to SYS account if UNIX user group is DBA sqlplus "/ as sysdba" One must be careful while assigning UNIX users to DBA group as leaving passwords of users that login to UNIX user group as DBA is very much unsecured. Generally two groups; dba and oinstall will be created. Always assign separate users for each task. For example there should be separate users for Oracle account owner, for Oracle software installation and for managing database startup and shutdown. Software owner or any other user should not be able to control the database startup and DBA group privilege should not be granted to anyone. Never use password directly on command line: Entering password on the command line is very much dangerous. In sqlplus a user will most likely enter login details as follows. Suppose the user is MYUSER and password is MYPASSWORD. sqlplus MYUSER/MYPASSWORD If a user enters below command on another terminal then he will be able to see the password of MYUSER. ps –aef|grep sqlplus The output will be sqlplus MYUSER/MYPASSWORD This security hole can be very much dangerous. A user should enter the user name only and Oracle should prompt for a password to be entered. sqlplus MYUSER Another option is to use /nolog sqlplus /nolog You can also connect from a program as follows sqlplus /nolog Never use SYS Account User during Explain Plan:While using TKPROF Tool a database administrator might be asked to enter the SYS account password. For example below command uses sys account password in the explain clause. tkprof tracefile.trc tkout.out explain=sys/changed Remember the password to the explain clause can be given later during the prompt. SYS account user should never be used during explain plan and instead of sys account you should use application user to explain the plan. Do not use Environmental Variables: You can pass the password securely to program by creating an environmental variable and passing it to the script. sqlplus –s MYUSER/$MYPASSWORD @report The environmental variables are visible to all users on the system and executing below command will display all environmental variables and the values used by all the users currently logged in to the system, including root's. /usr/ucb/ps uxgaeww You can set variable in a file and hide the file. It is a simple approach but is not very secure. Continued...
More Oracle Articles, Database Articles and DBA Tips 
|
|||
The name Oracle is a trademark of Oracle Corporation. Any other names used on this website may be trademarks of their respective owners