密码文件

最新推荐文章于 2024-03-29 14:34:44 发布

Linucle

最新推荐文章于 2024-03-29 14:34:44 发布

阅读量1.7k

点赞数

分类专栏： oracle安全管理

本文链接：https://blog.csdn.net/linucle/article/details/9464551

版权

oracle安全管理专栏收录该内容

6 篇文章 0 订阅

订阅专栏

(一)共享和专有密码文件

与密码文件有关的参数REMOTE_LOGIN_PASSWORDFILE
- NONE: Setting this parameter to NONE causes Oracle Database to behave as if the password file does not exist. That is, no privileged connections are allowed over nonsecure connections.
- EXCLUSIVE: (The default) An EXCLUSIVE password file can be used with only one instance of one database. Only an EXCLUSIVE file can be modified. Using an EXCLUSIVE password file enables you to add, modify, and delete users. It also enables you to change the SYS password with the ALTER USER command.
例：

SQL> alter system set remote_login_passwordfile=none scope=spfile;

System altered.

SQL> shutdonw immediate

SP2-0734: unknown command beginning "shutdonw i..." - rest of line ignored.

SQL> shutdown immediate

Database closed.

Database dismounted.

ORACLE instance shut down.

SQL> startup

ORACLE instance started.

Total System Global Area 217157632 bytes

Fixed Size                  2211928 bytes

Variable Size             159387560 bytes

Database Buffers           50331648 bytes

Redo Buffers                5226496 bytes

Database mounted.

Database opened.

SQL> show parameter remote_login_passwordfile

NAME                                 TYPE        VALUE

------------------------------------ ----------- ------------------------------

remote_login_passwordfile            string      NONE
- SHARED: A SHARED password file can be used by multiple databases running on the same server, or multiple instances of an Oracle Real Application Clusters (Oracle RAC) database. A SHARED password file cannot be modified. Therefore, you cannot add users to a SHARED password file. Any attempt to do so or to change the password of SYS or other users with the SYSDBA or SYSOPER privileges generates an error. All users needing SYSDBA or SYSOPER system privileges must be added to the password file when REMOTE_LOGIN_PASSWORDFILE is set to EXCLUSIVE. After all users are added, you can change REMOTE_LOGIN_PASSWORDFILE to SHARED, and then share the file.
修改：

SQL> alter system set remote_login_passwordfile=shared scope=spfile;

System altered.

SQL> alter user sys identified by oracle;

alter user sys identified by oracle

*

ERROR at line 1:

ORA-28046: Password change for SYS disallowed -----在此模式下是不允许修改密码的

在管理多个数据库或者RAC环境时，使用shared模式

当remote_login_passwordfile为shared或者exclusive并且密码文件丢失，与remote_login_passwordfile设置成none是等效的

（二）保持管理员的密码和数据字典同步

如果修改了sys用户的密码，使用alter user语句保持密码文件和数据字典密码的一致性

如果同步具有sysdba或者sysoper权限的非sys用户的密码，必须先revoke然后再重新grant权限
- 例：
  2. Find all users who have been granted the SYSDBA privilege.
SELECT USERNAME FROM V$PWFILE_USERS WHERE USERNAME != 'SYS' AND SYSDBA='TRUE';
2. Revoke and then re-grant the SYSDBA privilege to these users.
REVOKE SYSDBA FROM non-SYS-user;
GRANT SYSDBA TO non-SYS-user;
2. Find all users who have been granted the SYSOPER privilege.
SELECT USERNAME FROM V$PWFILE_USERS WHERE USERNAME != 'SYS' AND SYSOPER='TRUE';
2. Revoke and regrant the SYSOPER privilege to these users.
REVOKE SYSOPER FROM non-SYS-user;
GRANT SYSOPER TO non-SYS-user;
- (三)在密码文件中增加用户
当给用户授予sysdba或者sysoper权限时，其用户的名字和权限信息将记录到密码文件中。

并且当remote_login_passwordfile的值为none或者shared，也或者密码文件丢失，在这3种情况下是不能授予用户sysdba和sysoper权限，会报错。

shared模式下：

SQL> grant sysdba to dsg;

grant sysdba to dsg

*

ERROR at line 1:

ORA-01999: password file cannot be updated in SHARED mode

密码文件丢失：

SQL> show parameter remote_lo

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

remote_login_passwordfile string EXCLUSIVE

SQL> grant sysdba to dsg;

grant sysdba to dsg

*

ERROR at line 1:

ORA-01994: GRANT failed: password file missing or disabled

取回密码文件

[oracle@dsg2 dbs]$ mv orapwdsg02.bak orapwdsg02

SQL> grant sysdba to dsg;

Grant succeeded.

用户的sysdba或者sysoper权限被回收后用户的信息就从密码文件中删除

不要在授权的时候加with admin option！！！

（四）与密码文件相关的视图

Use the V$PWFILE_USERS view to see the users who have been granted the SYSDBA, SYSOPER, or SYSASM system privileges. The columns displayed by this view are as follows:



Column



Description




USERNAME



This column contains the name of the user that is   recognized by the password file.




SYSDBA



If the value of this column is TRUE, then the user   can log on with the SYSDBA system privileges.




SYSOPER



If the value of this column is TRUE, then the user   can log on with the SYSOPER system privileges.




SYSASM



If the value of this column is TRUE, then the user   can log on with the SYSASM system privileges.


SQL> desc v$pwfile_users

Name                                      Null?    Type

----------------------------------------- -------- ----------------------------

USERNAME                                           VARCHAR2(30)

SYSDBA                                             VARCHAR2(5)

SYSOPER                                            VARCHAR2(5)

SYSASM                                             VARCHAR2(5)

SQL> select * from v$pwfile_users;

USERNAME                       SYSDB SYSOP SYSAS

------------------------------ ----- ----- -----

SYS                            TRUE TRUE FALSE

SQL> grant sysdba to dsg;

Grant succeeded.

SQL> select * from v$pwfile_users;

USERNAME                       SYSDB SYSOP SYSAS

------------------------------ ----- ----- -----

SYS                            TRUE TRUE FALSE

DSG                            TRUE FALSE FALSE

（五）维护一个密码文件

1.扩展密码文件

Ora-1996

官方：If you receive the file full error (ORA-1996) when you try to grant SYSDBA or SYSOPER system privileges to a user, you must create a larger password file and regrant the privileges to the users.

通过V$pwfile_uses视图验证，确定后删除原来的密码文件，然后使用orapwd重建密码文件，保证entries足够，最后重新把用户加入。

2.删除密码文件

直接删除密码文件或者修改remote_login_passwordfile值为none