Categories
12cR2 security

lock sys

In the old days, locking sys had not much effect.

SQL> alter user sys identified by *** account lock;
User altered.
SQL> select account_status
from dba_users
where username='SYS';
ACCOUNT_STATUS
--------------------------------
LOCKED
SQL> conn / as sysdba
Connected.
SQL> conn sys/** as sysdba
Connected.
SQL> conn sys/***@db01 as sysdba
Connected.

Well, in the very-old days, Oracle7, or with the in 12cR2-deprecated parameter O7_DICTIONARY_ACCESSIBILITY, SYS could be locked. But this is out of the scope of this post.

In 12cR2, it is now possible to lock SYS.

SQL> alter user sys
identified by ***
account lock;
User altered.
SQL> select account_status
from dba_users
where username='SYS';
ACCOUNT_STATUS
--------------------------------
LOCKED
SQL> conn / as sysdba
Connected.
SQL> conn sys/** as sysdba
Connected.
SQL> conn sys/***@db01 as sysdba
ERROR:
ORA-28000: the account is locked

I like it 🙂 Oracle recommends you create other users to perform DBA tasks.

SQL> grant dba, sysdba
to user0001
identified by ***;
Grant succeeded.

Still, probably intentionally left so or simply forgotten, Oracle recommends to lock all Oracle supplied accounts except for SYS and SYSTEM (ref: Changing Passwords for Oracle Supplied Accounts)

Also note, you’ll get an ORA-40365 if you use an old-style password file


SQL> alter user sys identified by *** account lock;
alter user sys identified by *** account lock
*
ERROR at line 1:
ORA-40365: The SYS user cannot be locked
while the password file is in its current format.

By Laurent Schneider

Oracle Certified Master

4 replies on “lock sys”

So if you lock all accounts in the database (incl. SYS) and then log out, can you still get in then?…

Using the role ‘sysdba’ is not really the same like ‘sys’.
One thing it’s not possible to grant rights to the dictionary:

newsysadm@db01> grant select on sys.dba_users to new_user;
ORA-1031 insufficient privileges

That’s to keep in mind! 🙂

Nevertheless a good article!!! :):):)

SYSDBA is connecting as SYS

SQL> grant sysdba to newsysadm;
Grant succeeded.
SQL> conn newsysadm/***@DB01 as sysdba
Connected.
SQL> sho user
USER is "SYS"
SQL> grant select on sys.dba_users to new_user;
Grant succeeded.
SQL>

Don’t confuse role DBA and administrative privilege SYSDBA.
Maybe of interest : sysdba

Leave a Reply

Your email address will not be published.