Locked user SYS and SYSTEM
DB version: 11.2.0.2Operating system: Solaris 10
In our production of DBs, I noticed that the SYS and SYSTEM users are locked
$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.2.0 Production on Thu Jan 19 14:21:34 2012
Copyright (c) 1982, 2010, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
With the Partitioning option
SQL> select username, account_status from dba_users where username like 'SYS%';
USERNAME ACCOUNT_STATUS
------------------------------ --------------------------------
SYSTEM LOCKED
SYS LOCKED
1. How can I connect to the SYS account despite the confinement. Is it because I have connected via external authentication?2. don't lock the user SYS standard practice? If so, why?
1. How can I connect to the SYS account despite the confinement. Is it because I have connected via external authentication?
you are the owner of the HOUSE of the ORACLE, you need to connect. Yes its because of external authentication.
Of course you can not connect the user to the system. Have you tried?
2. don't lock the user SYS standard practice? If so, why?
Depends on the security, some cases, a user will be created with DBA roles.
Tags: Database
Similar Questions
-
Expiry of the password for user SYS and SYSTEM
My database 11g 2 on Redhat 5 has sys and system user password expired
But I can still connect the databsae with expired password t.SQL> select username,account_status,EXPIRY_DATE from dba_users where username like 'SYS%'; 2 USERNAME ACCOUNT_STATUS EXPIRY_DA ------------------------------ -------------------------------- --------- SYSMAN OPEN SYSTEM OPEN 15-FEB-11 SYS OPEN 15-FEB-11
Should I worry about the expiration of the password of the user these? For a normal user, I can not connect with expired passwordDear user13148231,
Here's an illustration;
SQL> alter user sys account lock; User altered. SQL> select username, account_status, lock_date, expiry_date from dba_users where USERNAME='SYS'; USERNAME ACCOUNT_STATUS LOCK_DATE EXPIRY_DA ------------------------------------------------------ SYS LOCKED 20-AUG-10 23-FEB-09 SQL> host sqlplus sys/password@opttest as sysdba SQL*Plus: Release 10.2.0.4.0 - Production on Fri Aug 20 12:25:43 2010 Copyright (c) 1982, 2007, Oracle. All Rights Reserved. Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SQL> exit Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SQL> alter user sys identified by password password expire; User altered. SQL> select username, account_status, lock_date, expiry_date from dba_users where username='SYS'; USERNAME ACCOUNT_STATUS LOCK_DATE EXPIRY_DA ------------------------------------------------------ SYS EXPIRED & LOCKED 20-AUG-10 20-AUG-10 SQL> host sqlplus sys/password@opttest as sysdba SQL*Plus: Release 10.2.0.4.0 - Production on Fri Aug 20 12:27:02 2010 Copyright (c) 1982, 2007, Oracle. All Rights Reserved. Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SQL> exit Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SQL> alter user sys identified by password account unlock; SQL> select username, account_status, lock_date, expiry_date from dba_users where username='SYS'; USERNAME ACCOUNT_STATUS LOCK_DATE EXPIRY_DA ------------------------------ -------------------------------- --------- --------- SYS OPEN
Even if the State expired and locked it's OK to connect to the database for the user SYS.
SQL> alter user ogan identified by password account lock password expire; User altered. SQL> select username, account_status, lock_date, expiry_date from dba_users where username='OGAN'; USERNAME ACCOUNT_STATUS LOCK_DATE EXPIRY_DA ------------------------------ -------------------------------- --------- --------- OGAN EXPIRED & LOCKED 20-AUG-10 20-AUG-10 SQL> conn ogan/password ERROR: ORA-28000: the account is locked Warning: You are no longer connected to ORACLE. SQL> conn / as sysdba Connected. SQL> alter user ogan account unlock; User altered. SQL> conn ogan/password@opttest ERROR: ORA-28001: the password has expired Changing password for ogan New password: Retype new password: Password changed Connected. SQL>
Ogan
-
Subsidies granted by user SYS and SYSTEM
Hi all
Please, help me to understand this problem.
I have a few schema named maps_ref where I create a view. (table abc discovers abc01).
Here, I have granted the create view, creates all privs view to maps_ref by linking the SYS as SYSDBA.
He alllowed me to create the view.
As a test, I revoked the privileges by connecting as a SYSTEM and he revoked the privileges granted by SYS as SYSDBA.
Later, of course, I couldn't create the view.
This means that subsidies granted by SYS as SYSDBA resumable system however SYSDBA is then more powerful SYSTEM?
I'm a little confused how it worked? Please explain.
Rgds,
AashishHello
SYS is not normal user and you are not able to connect without clause SYSDBA.
sqlplus sys@test
SQL * more: version 11.1.0.7.0 - Production on Wed Apr 8 09:48:37 2009
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter the password:
ERROR:
ORA-28009: connection as SYS must be SYSDBA or SYSOPEREnter the user name:
sqlplus sys@test as sysdba
SQL * more: version 11.1.0.7.0 - Production on Wed Apr 8 09:48:55 2009
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter the password:
Connected to:
Oracle Database 11 g Enterprise Edition Release 11.1.0.7.0 - 64 bit Production
With partitioning, OLAP, Data Mining and Real Application Testing optionsSQL >
Kind regards
Tom
http://OracleDBA.cz -
Hi all
We have 10.2.0.4 on solaris 10.
Currently we have I.T. audit on our environment, and the auditor commented to lock the user sys and system and use a single user with any name (not the name generic oracle) and grant him the privilege of sys and system and use this user for admin purposes. is this true?... is it recommended?
Please notifyHello
I think that this is not a good way to lock SYS.
In addition, if you connect as administrator (root for Unix/linux) operating system on the server and use
Authentication of the BONE and then, you can connect to SYS AS SYSDBA anyway.So, in fact, it is not possible to lock SYS even if you run the following:
ALTER USER SYS ACCOUNT LOCK;
If you want to prevent access on SYS, you must set a password long and complex and
apply the same rule for the admin / root user OS.These passwords must be known very little and well - to identify the people and written nowhere
(in files or scripts).Plus more, you should restrict DBA role to SYS and SYSTEM and remove this powerful role
other Oracle users.Then, you can enable the CHECK in order to control the connection to the session database and,.
create a LOGIN TRIGGER to verify the connection, the workstation, the program end-users
that connect to the database.In 10g, DBConsole EM shows an alert whenever a user is logged on with SYS.
Please find attached, an interesting paper written by Pete Finigan on this topic:
http://www.insight.co.UK/files/presentations/hacking%20and%20securing%20Oracle.PDF
Hope this helps.
Best regards
Jean Valentine -
sys and system schema are expired &; locked after disaster recovery.
Hi all
In one of our development database, I conducted disaster recovery and he succeeded.
After completing the recovery thre, sys and system schema are expired & locked.
So, I'm not able to carry out any type of operation that is performed by the user sys and system.
Database Version: 11g r2
Operating system: RedHat 5.5
Please please suggest me how can I solve this problem?
Thank you
Pitard.It might be
What is the status of the users in the source database from which you have taken backup? Maybe he has so locked even after performing refresh status remains the same.
See your profile stats below. All have remained unanswered. You simply test patience? If this isn't the case, close all threads as answered. Clean up the forum.
User profile for pitard
Pitard
Handle: Pitard
Status level: Beginner
Join date: March 4, 2010
Total messages: 9
Total Questions: 8 (8 open)
Viren namePublished by: CKPT on February 20, 2012 19:47
-
By default, the user SYS and SYSTEM are assigned the DEFAULT profile. According to this profile setting (PASSWORD_LIFE_TIME), the password is suppose to be expired every 180 days, but the SYS and system accounts State is OPEN even after 1 year, not EXPIRED. Pls someone clarify this point.
USER NAME CREATED THE ACCOUNT_STATUS PROFILE
------------------------------ --------- -------------------------------- ------------------------------
SYS 24 AUGUST 13 OPEN BY DEFAULT
24 AUGUST 13 OPEN BY DEFAULT
PROFILE RESOURCE_NAME RESOURCE LIMIT
------------------------------ -------------------------------- -------- ----------------------------------------
PASSWORD_LIFE_TIME 180 DEFAULT PASSWORD
1762432 wrote:
When was the last time that someone actually tried to connect as SYSTEM?
--> No not tried until now. This means if try to connect as a SYSTEM, then it gets only EXPIRED remains OPEN even if the PASSWORD_LIFE_TIME stretches limited 180.
Have you read the link I gave you? In particular, the discussion on the fig. 5 and fig. 6.
If you had, you would have the answer to this question.
I thought the account that EXPIRES based on PASSWORD_LIFE_TIME even gets does not attempt to connect DB via the account.
Then, you thought wrong. As I said earlier, the database does not spend time constantly trawling through accounts looking to see if something has passed its expiration date. If she did that, he would never time to do something else. He checks in the context of a connection request and responds
as a result.
-
Why is password for SYS and SYSTEM different
I use 10g Express
During the installation I created the password and I use it as a password with SYS, but it does not work with the SYSTEM
(I'm with Windows 7 on AMD x 64)
Thank you.Hello
The SYS and SYSTEM password are asked during the database creation process.
May be that a different password has been set.
Anyway, as you know the password for SYS, you can change the password for the SYSTEM with the following statement:
alter user system identified by
; Hope this helps.
Best regards
Jean Valentine -
Encrypt the sys and system tables
How encrypt/limit sys and system tables so that no users can view them.
On a user database few have access s/n.
Is it possible to restrict their access to the tables of the dictionary.RAC_DBA wrote:
How encrypt/limit sys and system tables so that no users can view them.On a user database few have access s/n.
Is it possible to restrict their access to the tables of the dictionary.
If you want to protect the data dictionary, then use 07_DICTIONARY_ACCESSIBILITY parameter to deny users that has 'SELECT ANY TABLE' privilege to select the data belonging to SYS
And don't forget, if you share the password for user SYS or SYSTEM, it means that you share all the information as data dictionary
-
sys and system of export and import
Hi all
is there a difference with exports or imports, usiing the sys user and user of the system.
a schema export and import has to do with the system user only.
What is the difference in fact.
Thank you!Hello
In general, never use sys - you can't export consistent reading on the one hand, that the sys user. As long as the user you run expdp/impdp a permission/imp_full_database, they should be able to unload/load anything.SYS the property in the goods may not be imported/exported in any case. tab$ is for example a table in sys but rows in it are added/removed by sql recursive create/delete table implementation.
Kind regards
Harry -
Question about user SYS and ROLES
Hello
When I create a role, such as:
I see that as soon as the role is created, it is automatically granted to the SYS.create role atestrole;
I thought that, given the fact that SYS has already all the privileges system and object in existence, that the automatic grant was superfluous and unnecessary. To test this, I have revoked the role of 'atestrole' of SYS and then tried to give "atestrole" as user SYS to SCOTT. As expected, SYS has been able to give "atestrole" SCOTT.
At this point, it seems that the automatic granting of new roles to SYS does not SYS, being able to do something that he would be able to do otherwise.
Question: SYS automatically grant all newly created roles, cause SYSTEM to have a few abilities that he would or not is superfluous (as seems to be)?
Thank you for your help,
John.
PS: the new roles are automatically awarded to SYS by Oracle itself, it is not something to be done "manually".
Published by: 440bx - 11 GR 2 on 20 Sep, 2010 08:23 - added PS.I don't know if it will clear the cloud or not! but the result is "a user who creates a role is granted also that default role.
So, if you created the ROLE with SYS is authorized for SYS otherwise DO NOT default. See the example below.SQL> conn sys@xe as sysdba Enter password: ****** Connected. SQL> CREATE ROLE TEST_ROLE_GRANT1; Role created. SQL> set line 1000 SQL> SELECT * FROM dba_role_privs 2 WHERE GRANTED_ROLE='TEST_ROLE_GRANT1'; GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- SYS TEST_ROLE_GRANT1 YES YES SQL> conn system@xe Enter password: ****** Connected. SQL> CREATE ROLE TEST_ROLE_GRANT2; Role created. SQL> SELECT * FROM dba_role_privs 2 WHERE GRANTED_ROLE='TEST_ROLE_GRANT2'; GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- SYSTEM TEST_ROLE_GRANT2 YES YES SQL> conn hr@xe Enter password: ** Connected. SQL> CREATE ROLE TEST_ROLE_GRANT3; Role created. SQL> SELECT * FROM dba_role_privs 2 WHERE GRANTED_ROLE='TEST_ROLE_GRANT3'; GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- HR TEST_ROLE_GRANT3 YES YES SQL>
-
Change for SYS and SYSTEM profile
Is there an effect (or problem) by moving the SYS, SYSTEM RMAN & accounts SYSMAN DEFAULT profile to my user define the profile ($service_accounts). The main reason being I want to control password settings in the DEFAULT profile, which should not apply to service Oracle accounts.
Kind regards
KevinDear Kevin world countries,
When a user is created they are put in DEFAULT the default profile
You can create any user with the profile of your choice parameter. There is no limit to this topic. Here's the syntax;
SQL > create ogan user identified by the profile password OGAN_PROF;
If you want to use the default profile for newly created users, use it. Create another profile called for example SYSPROF and change the settings as you wish.
Keep in mind that using profiles and changins profile settings parameter to TRUE resource_limit need.
It will be useful,
Ogan
-
Locked user account and connect on demand
Hi, any omniscient! :) I'm sorry for my bad English, but I have a question.
Why is able to connect to an Application user using Builtin ApEx Authentication Scheme, when this user's account is locked? We see that in the ApEx 3.1, 3.2 (and I think, ApEx 3.2.1 has builtin regime too).As a workspace admin Home > Administration > manage Services > Set Workspace Preferences and ensure that the account Expiration and locking is set to enable.
Scott
-
What are these workspaces? They are created by default when you install APEX in a DB of Oracle XE. I understand what each is for the database, I was wondering why they work for APEX spaces.
I don't know why they exist, or when they are used.
Will need to look in, or comments from the Oracle gurus.For now, I would say keep them.
You can however do a test installation and remove these from the test facility just to see what happens! Of course, you must be prepared to reinstall if something horrible happens.
Kind regards
-
The user sys and system can be locked? If so, what is the effect on the database?
My user sys and system database showing has already expired and locke date is null.
Please suggest.
USERNAME LOCK_DATE EXPIRY_DA ------------------------------ --------- --------- ACCOUNT_STATUS -------------------------------- MGMT_VIEW 18-FEB-11 OPEN SYS 18-FEB-11 OPEN SYSTEM 01-MAR-11 OPEN
You need to use or create a profile for which PASSWORD_LIFE_TIME is set to UNLIMITED. It is normally the case for the DEFAULT profile.
Example to use the DEFAULT profile:
SQL> alter user sys profile default; User altered.
For example, to create a profile:
SQL> create profile sp limit password_life_time unlimited; Profile created. SQL> alter user sys profile sp; User altered.
But you must take into account all the resources limits related to the PASSWORD_LIFE_TIME not only profile.
-
Original title: IBM think centre @ start request.
IBM think centre @ request for initialization of the system user password and a genius set the bios to lock keyboard can it is bypassed and how?
Hi brandon1980,
I recommend you contact your computer manufacturer for assistance. The manufacturer would be able to give details about the BIOS (Basic Input Output System) and find out if this feature can be disabled.
Hope the helps of information.
Maybe you are looking for
-
Einstellungen-fenster nach update auf 35.0.1 leer
the window in the German version of firefox 35.0.1 einstellungen is completely emtpty to make it impossible to control or change what is happening in the browser
-
Customize the Dock with Script
I'm doing an AppleScript script that puts a .app in my dock users based on the org group that they are part of Active Directory. For example, a teacher will get a different app in the dock as a student, because they are part of another group in Acti
-
Resetting a load with Arduino cell
I use a curcuit to load with an Arduino Mega cell and ordering an operation with LabView. I would like to create a tear for the load cell button as a scale would have. To do this, I need to read the analogue value and then set this value to a variab
-
Install error code 646 for security update has failed. I run Windows Vista
I tried to install six important updates. One is an update of security for Microsoft Works 8.Then I updates security for Microsoft Office Outlook 2007, Microsoft Office Visio Viewer 2007. I have two updates of security for Microsoft Office System 200
-
DMVPN - PSK to Auth RSA - Sig move
Hi all I'm moving a laboratory DMVPN config PSK has the use of certificates. Installed root CA + certificates without problem. I imagined it would be just a case of creating a different strategy on the hubs ISAKMP and rays and gradually introduce spe