Sunday, June 12, 2011

How to Disable Operating System Authentication of sys user ( sysdba privileged ) ?

How to Disable Operating System Authentication of sys user ( sysdba privileged )
--------------------------------------------------------------------------------
such as :-

sys user can connect like conn / as sysdba or connect / as sysdba

How can protect it? and how to sure that sys user must need a password ? without password it can't be able to connect to local server ?


OS authenication it is possible to disable OS authentication by putting non-existant OS group names in the config.c (or config.s) file, then (re)move the config.o and relink oracle,

ON WINDOWS, you just remove the connected user from ora_dba group. then this user cannot connect to database without password.

The 'OSDBA' and 'OSOPER' groups are chosen at installation time and usually both default to the group 'dba'. These groups are compiled into the 'oracle' executable and so are the same for all databases running from a given ORACLE_HOME directory.
The actual groups being used for OSDBA and OSOPER can be checked thus:

cd $ORACLE_HOME/rdbms/lib
cat config.[cs]

The line '#define SS_DBA_GRP "group"' should name the chosen OSDBA group.
The line '#define SS_OPER_GRP "group"' should name the chosen OSOPER group.

However this is not supported by oracle for the following reasons:

1) Many tools like RMAN rely on the OS authentication to work, in any documentation and references this behaviour is expected to work.

2) If you disable OS authentication like this the administrative connections AS SYSDBA/SYSOPER can only make use of the passwordfile, if there's something wrong with it no one can login, if you consider in a broader sense that availability is also part of security then this means it negatively impacts the security of your system.

3) Moreover it only provides a false sense of security since a DBA with access to the oracle software owner can rebuild the password file or relink oracle to restore it.

NOTE:-

On Unix systems a user may be a member of more than one group.
To connect as an administrative user without supplying a password:

- One of the groups of which the user is a member should be either the OSDBA or
OSOPER groups as defined in config.c (config.s on some platforms) and as
linked into the 'oracle' executable.
- The group must be a valid group as defined in /etc/group (or as defined in NIS
by 'ypcat group')
- The users PRIMARY group (Ie: the one shown by the 'id' command) cannot be the
special group 'daemon'.

It is quite common for the 'root' user to be required to have SYSDBA or SYSOPER
privilege. Unfortunately it is also common for the root users' primary group to be the
group 'daemon' which may prevent it from being allowed to connect without a password.
There are two ways to tackle this problem:

a) Make the root users PRIMARY group the OSDBA group
OR
b) Where available use the 'newgrp' command to change the users primary group to
the DBA group.
Eg: $ newgrp dbagroup
$ sqlplus /nolog
SQL> connect / as sysdba

This can also be used in shellscripts thus:

:
newgrp dbagroup

No comments: