Tags

, , ,

Many times this question comes up “Whether we could login as SYS but not as SYDBA”. Related questions are “Whether you could lock SYS account”. The answer to both the questions is YES. Let’s see how :

Before I proceed with the demonstration, let me tell about a very interesting parameter which controls restrictions on SYSTEM privileges, it is O7_DICTIONARY_ACCESSIBILITY.

If the parameter is set to true, access to objects in the SYS schema is allowed (Oracle7 behavior). The default setting of false ensures that system privileges that allow access to objects in “any schema” do not allow access to objects in the SYS schema.

For example, if O7_DICTIONARY_ACCESSIBILITY is set to false, then the SELECT ANY TABLE privilege allows access to views or tables in any schema except theSYS schema (data dictionary tables cannot be accessed). If O7_DICTIONARY_ACCESSIBILITY is set to false, then to access objects in the SYS schema, the user should have SELECT ANY DICTIONARY system privilege or the user should have been granted SELECT object privilege on the specific objects. The system privilege EXECUTE ANY PROCEDURE allows access on the procedures in any schema except the SYS schema.

If this parameter is set to false and you need to access objects in the SYS schema, then you must be granted explicit object privileges. The following roles, which can be granted to the database administrator, also allow access to dictionary objects:

  • SELECT_CATALOG_ROLE
  • EXECUTE_CATALOG_ROLE
  • DELETE_CATALOG_ROLE

The following are 2 ways to lock the SYS account and CONNECT to SYS without SYSDBA :

 

  1. With O7 parameter set to false(by default) :
SQL*Plus: Release 12.1.0.1.0 Production on Thu Aug 28 13:10:48 2014

Copyright (c) 1982, 2013, Oracle.  All rights reserved.

Enter password:

Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.1.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

SQL> show parameter O7;

NAME                                 TYPE        VALUE
------------------------------------ ----------- --------------
O7_DICTIONARY_ACCESSIBILITY          boolean     FALSE
SQL> alter user sys account lock;

User altered.

SQL> conn sys@pdborcl
Enter password:
ERROR:
ORA-28000: the account is locked


Warning: You are no longer connected to ORACLE.
SQL> conn sys@pdborcl as sysdba
Enter password:
Connected.
SQL> select account_status from dba_users where username='SYS';

ACCOUNT_STATUS
--------------------------------
LOCKED

 

2. With O7 parameter set to true :

SQL> alter system set O7_DICTIONARY_ACCESSIBILITY=TRUE scope=spfile;

System altered.

SQL> shutdown immediate;
Pluggable Database closed.
SQL> startup;
Pluggable Database opened.
SQL> show user
USER is "SYS"
SQL> show parameter O7

NAME                                 TYPE        VALUE
------------------------------------ ----------- -------------------
O7_DICTIONARY_ACCESSIBILITY          boolean     TRUE
SQL> conn sys@pdborcl
Enter password:
ERROR:
ORA-28000: the account is locked


Warning: You are no longer connected to ORACLE.