The SYS user of the Oracle database can be said to be omnipotent as a "God" level user. By default, the SYS user can only log in to the database with the "sysdba" privilege. This article gives the method for the SYS user to log in to the database as a common user.
1. By default, the SYS user cannot log in to the database as a normal user
1) Use the sqlplus command to try to log in to
ora10g@secdb /home/oracle$ sqlplus sys/oracle
SQL*Plus: Release 10.2.0.1.0 - Production on Fri May 27 21 :26:27 2011
Copyright (c) 1982, 2005, Oracle. All rights reserved.
ERROR:
ORA-28009: connection as SYS should be as SYSDBA or SYSOPER
Enter user-name: The message
cannot be connected.
2) Use the connect command to try to log in to
sys@ora10g> connect sys/oracle
ERROR:
ORA-28009: connection as SYS should be as SYSDBA or SYSOPER
Warning: You are no longer connected to ORACLE. The message
cannot be connected.
It can be seen that the SYS user cannot log in to the database as a normal user by default.
2. How to open this restriction: Modify the value of the O7_DICTIONARY_ACCESSIBILITY parameter from the original value "FALSE" to "TRUE"
1) View the default value of the O7_DICTIONARY_ACCESSIBILITY parameter
sys@ora10g> show parameter O7_DICTIONARY_ACCESSIBILITY
NAME TYPE VALUE
--------- ------------------------- -------------------- ----- --------
O7_DICTIONARY_ACCESSIBILITY boolean FALSE
2) Adjust the value of the O7_DICTIONARY_ACCESSIBILITY parameter to "TRUE"
sys@ora10g> alter system set O7_DICTIONARY_ACCESSIBILITY=true scope=spfile;
System altered.
3) Restart the database to make the parameter adjustment take effect
sys@ora10g> startup force;
ORACLE instance started.
Total System Global Area 419430400 bytes
Fixed Size 1219784 bytes
Variable Size 96469816 bytes
Database Buffers 314572800 bytes
Redo Buffers 7168000 bytes
Database mounted.
Database opened.
4) Confirm the parameter adjustment result
sys@ora10g> show parameter O7_DICTIONARY_ACCESSIBILITY
NAME TYPE VALUE
-------------------- -------------- -------------------- -------------
O7_DICTIONARY_ACCESSIBILITY boolean TRUE
3. Test whether the SYS user can log in to the database as a normal user
1) Use the sqlplus command to try to log in to
ora10g@secdb /home/oracle$ sqlplus sys/oracle
SQL*Plus: Release 10.2.0.1.0 - Production on Fri May 27 21: 44:59 2011
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
sys@ora10g>
2)使用connect命令尝试登录
sys@ora10g> connect sys/oracle
Connected.
sys@ora10g> show user;
USER is "SYS"
此时我们已经实现了SYS用户以普通用户方式登录到数据库。
4.SYS用户以普通用户身份登录数据库的权限限制
虽然我们实现了SYS用户以普通用户方式登录数据库这个功能,但是这种登录方式同时也失去了sysdba这种特权,这种登录方式不能完成数据库的关闭;在数据库关闭状态下这种方式也无法连接到数据库,从而不能启动数据库。因为启动和关闭必须使用特权身份登录
1)尝试关闭数据库
sys@ora10g> shutdown immediate;
ORA-01031: insufficient privileges
此时提示权限不足。
2)关闭数据库后尝试连接
sys@ora10g> conn / as sysdba
Connected.
sys@ora10g> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
sys@ora10g> conn sys/oracle
ERROR:
ORA-01034: ORACLE not available
ORA-27101: shared memory realm does not exist
Linux Error: 2: No such file or directory
Warning: You are no longer connected to ORACLE.
sys@ora10g> exit
ora10g@secdb /home/oracle$ sqlplus sys/oracle
SQL*Plus: Release 10.2.0.1.0 - Production on Fri May 27 21:50:18 2011
Copyright (c) 1982, 2005, Oracle. All rights reserved.
ERROR:
ORA-01034: ORACLE not available
ORA-27101: shared memory realm does not exist
Linux Error: 2: No such file or directory
Enter user-name:
由于无法连接到数据库,因此便不可以启动数据库。因为此时是以普通用户身份登录。
5.小结
通过整个分析和探寻的过程可见,这种调整方法的必要性很小。仅作为一种功能上的实现。
Good luck.
secooler
11.06.04
-- The End --
1. By default, the SYS user cannot log in to the database as a normal user
1) Use the sqlplus command to try to log in to
ora10g@secdb /home/oracle$ sqlplus sys/oracle
SQL*Plus: Release 10.2.0.1.0 - Production on Fri May 27 21 :26:27 2011
Copyright (c) 1982, 2005, Oracle. All rights reserved.
ERROR:
ORA-28009: connection as SYS should be as SYSDBA or SYSOPER
Enter user-name: The message
cannot be connected.
2) Use the connect command to try to log in to
sys@ora10g> connect sys/oracle
ERROR:
ORA-28009: connection as SYS should be as SYSDBA or SYSOPER
Warning: You are no longer connected to ORACLE. The message
cannot be connected.
It can be seen that the SYS user cannot log in to the database as a normal user by default.
2. How to open this restriction: Modify the value of the O7_DICTIONARY_ACCESSIBILITY parameter from the original value "FALSE" to "TRUE"
1) View the default value of the O7_DICTIONARY_ACCESSIBILITY parameter
sys@ora10g> show parameter O7_DICTIONARY_ACCESSIBILITY
NAME TYPE VALUE
--------- ------------------------- -------------------- ----- --------
O7_DICTIONARY_ACCESSIBILITY boolean FALSE
2) Adjust the value of the O7_DICTIONARY_ACCESSIBILITY parameter to "TRUE"
sys@ora10g> alter system set O7_DICTIONARY_ACCESSIBILITY=true scope=spfile;
System altered.
3) Restart the database to make the parameter adjustment take effect
sys@ora10g> startup force;
ORACLE instance started.
Total System Global Area 419430400 bytes
Fixed Size 1219784 bytes
Variable Size 96469816 bytes
Database Buffers 314572800 bytes
Redo Buffers 7168000 bytes
Database mounted.
Database opened.
4) Confirm the parameter adjustment result
sys@ora10g> show parameter O7_DICTIONARY_ACCESSIBILITY
NAME TYPE VALUE
-------------------- -------------- -------------------- -------------
O7_DICTIONARY_ACCESSIBILITY boolean TRUE
3. Test whether the SYS user can log in to the database as a normal user
1) Use the sqlplus command to try to log in to
ora10g@secdb /home/oracle$ sqlplus sys/oracle
SQL*Plus: Release 10.2.0.1.0 - Production on Fri May 27 21: 44:59 2011
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
sys@ora10g>
2)使用connect命令尝试登录
sys@ora10g> connect sys/oracle
Connected.
sys@ora10g> show user;
USER is "SYS"
此时我们已经实现了SYS用户以普通用户方式登录到数据库。
4.SYS用户以普通用户身份登录数据库的权限限制
虽然我们实现了SYS用户以普通用户方式登录数据库这个功能,但是这种登录方式同时也失去了sysdba这种特权,这种登录方式不能完成数据库的关闭;在数据库关闭状态下这种方式也无法连接到数据库,从而不能启动数据库。因为启动和关闭必须使用特权身份登录
1)尝试关闭数据库
sys@ora10g> shutdown immediate;
ORA-01031: insufficient privileges
此时提示权限不足。
2)关闭数据库后尝试连接
sys@ora10g> conn / as sysdba
Connected.
sys@ora10g> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
sys@ora10g> conn sys/oracle
ERROR:
ORA-01034: ORACLE not available
ORA-27101: shared memory realm does not exist
Linux Error: 2: No such file or directory
Warning: You are no longer connected to ORACLE.
sys@ora10g> exit
ora10g@secdb /home/oracle$ sqlplus sys/oracle
SQL*Plus: Release 10.2.0.1.0 - Production on Fri May 27 21:50:18 2011
Copyright (c) 1982, 2005, Oracle. All rights reserved.
ERROR:
ORA-01034: ORACLE not available
ORA-27101: shared memory realm does not exist
Linux Error: 2: No such file or directory
Enter user-name:
由于无法连接到数据库,因此便不可以启动数据库。因为此时是以普通用户身份登录。
5.小结
通过整个分析和探寻的过程可见,这种调整方法的必要性很小。仅作为一种功能上的实现。
Good luck.
secooler
11.06.04
-- The End --