stackoom
  简体   繁体   中英

Restrict user to use ‘conn /as sysdba’ from OS Level

 原文  2017-09-22 16:24:39       linux/ oracle/ security/ ubuntu/ sysdba

Question

是否可以允许在操作系统级别上对特定用户或组使用sqlplus,但将“ sqlplus / as sysdba”限制为对同一用户o组使用?

2 answers

solution1
 1  2017-09-22 20:14:59

Normally anyone with an Oracle username assigned to them can use SQLPLus but only members of the Oracle owner OS group can use sqlplus as sysdba without needing a password. This privilege is normally assigned to OS group DBA, but can be different. I have worked on a system where members of the DBA group could not connect using as sysdba since Oracle as set up only in oinstall. This is configured at install time. The answer to your question as asked is, No. If you assign them to the privileged group then they have the privilege.

solution2
 0 ACCPTED  2017-09-23 04:36:19

If I understood your question correctly the answer to the question is YES , as long as the user is not part of the dba group. The execute flag is set for "others" by default, so any user can run sqlplus and connect with a username/password. You don't even have to setup a new user or group specifically, just make sure that the user is not part of the dba group:

Default rights for sqlplus have set the e x ecution flag for others : 

$ cd /opt/oracle/product/12.2.0.1/dbhome_1/bin
$ ls -al sqlplus
-rwxr-xr-x 1 oracle oinstall 25168 Sep 22 16:48 sqlplus

User gerald is not part of dba group and therefore not allowed to connect via sqlplus / as sysdba : 

$ id
uid=54322(gerald) gid=54331(gerald) groups=54331(gerald)

$ sqlplus / as sysdba

SQL*Plus: Release 12.2.0.1.0 Production on Sat Sep 23 04:22:33 2017

Copyright (c) 1982, 2016, Oracle.  All rights reserved.

ERROR:
ORA-01017: invalid username/password; logon denied


Enter user-name:

However, the user gerald can still run sqlplus and connect via username/password: 

$ id
uid=54322(gerald) gid=54331(gerald) groups=54331(gerald)

$ sqlplus sys/gerald as sysdba

SQL*Plus: Release 12.2.0.1.0 Production on Sat Sep 23 04:27:58 2017

Copyright (c) 1982, 2016, Oracle.  All rights reserved.

Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

SQL> exit
Disconnected from Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

Obviously, if you don't want to give users SYS access at all, don't share the SYS password with them!

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Restrict user login on kernel level in Linux restrict user to use one existing directory owned by oracle in aix Erlang Socket at OS Level create user from JAVA application in LINUX OS return User Quota with PHP from Linux OS Disabling Keyboard device from user level How to restrict anaconda from upgrading the module being installed if its a higher level dependency Restrict Ubuntu user permissions Use sys_open from kernel level os.openpty() Operation not permitted after os.seteuid() from root to a user
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM