Home » RDBMS Server » Security » revoke sysoper from userA when the parameter "remote_login_passwordfile" is set
revoke sysoper from userA when the parameter "remote_login_passwordfile" is set [message #64494] Wed, 02 February 2005 05:23 Go to next message
kalpin
Messages: 4
Registered: February 2005
Junior Member
I know that When the parameter "remote_login_passwordfile" is set to "shared", we can not grant sysdba or sysooper priviledge to a user other than SYS. But at this time i can revoke sysdba or sysoper from a user who was granted these priviledges when the "remote_login_passwordfile" is "exclusive".Here is my experiments:
SQL>show parameter remote_login_passwordfile
NAME TYPE VALUE
------------------------------------ ----------- -----------
remote_login_passwordfile string EXCLUSIVE
SQL> select * from v$pwfile_users;

USERNAME SYSDB SYSOP
------------------------------ ----- -----
SYS TRUE TRUE
A FALSE TRUE
SYSTEM FALSE TRUE
SQL> alter system set remote_login_passwordfile=shared scope=spfile;
system altered
SQL> shutdown immediate
database closed
database dismounted
ORACLE instance shutdown
SQL> startup
ORACLE instance started

Total System Global Area 252779340 bytes
Fixed Size 453452 bytes
Variable Size 209715200 bytes
Database Buffers 41943040 bytes
Redo Buffers 667648 bytes

SQL> select * from v$pwfile_users;

USERNAME SYSDB SYSOP
------------------------------ ----- -----
SYS TRUE TRUE

SQL> revoke sysoper from a;
revoke succeeded

After i set the remote_login_passwordfile to "exclusive" again and restart the database,user A is still granted the sysoper priviledge, Why ? the revoke command didn't work,did it ?
SQL> select * from v$pwfile_users;

USERNAME SYSDB SYSOP
------------------------------ ----- -----
SYS TRUE TRUE
A FALSE TRUE
SYSTEM FALSE TRUE

I think that When remote_login_passwordfile is set to none or shared, Oracle should not give a "revoke succeeded" response after "revoke sysoper from a" command was executed, what it should give is "cannot revoke users from public password file" which is just like the error info after "grant sysoper to a" in "shared" or "none" mode.
Re: revoke sysoper from userA when the parameter "remote_login_passwordfile" is set [message #289976 is a reply to message #64494] Wed, 26 December 2007 23:53 Go to previous messageGo to next message
mkbhati
Messages: 93
Registered: February 2007
Location: Mumbai
Member
There is a shift in behaviour for parameter REMOTE_LOGIN_PASSWORDFILE in 10g please see following in Oracle Database Reference 10R2 :

Parameter REMOTE_LOGIN_PASSWORDFILE
Property Description
Parameter type String
Syntax REMOTE_LOGIN_PASSWORDFILE= {NONE | SHARED}
Default value SHARED
Modifiable No
Basic Yes
RAC Multiple instances must have the same value.

REMOTE_LOGIN_PASSWORDFILE specifies whether Oracle checks for a password file.
Values:
NONE : Oracle ignores any password file. Therefore, privileged users must be authenticated by the operating system.
SHARED : One or more databases can use the password file. The password file can contain SYS as well as non-SYS users.

Note : The value EXCLUSIVE is supported for backward compatibility. It now has the same behavior as the value SHARED



Re: revoke sysoper from userA when the parameter "remote_login_passwordfile" is set [message #290006 is a reply to message #289976] Thu, 27 December 2007 01:51 Go to previous messageGo to next message
Michel Cadot
Messages: 68712
Registered: March 2007
Location: Saint-Maur, France, https...
Senior Member
Account Moderator
I didn't read your answer and I don't think OP will read it 3 years after his post.
Good to see you want to contribute to the forum but try to choose younger posts.

Regards
Michel
Re: revoke sysoper from userA when the parameter "remote_login_passwordfile" is set [message #290009 is a reply to message #289976] Thu, 27 December 2007 01:56 Go to previous message
Michel Cadot
Messages: 68712
Registered: March 2007
Location: Saint-Maur, France, https...
Senior Member
Account Moderator
Quote:

Note : The value EXCLUSIVE is supported for backward compatibility. It now has the same behavior as the value SHARED

This is wrong.
This is what the documentation states but it is wrong, I already raised a documentation bug and this is fixed in 11g documentation.

Regards
Michel
Previous Topic: Regarding Security Patch
Next Topic: orapwd file deleted
Goto Forum:
  


Current Time: Wed Nov 13 03:22:48 CST 2024