首页 > 数据库 > Oracle > 正文

ORACLE 参数 O7_DICTIONARY_ACCESSIBILITY

2024-08-29 13:54:45
字体:
来源:转载
供稿:网友

该参数是Oracle的一个安全机制, 目的就是为了防止非sysdba访问系统关键数据字典,让sys用户成为sysdba, 不能以普通用户登陆

MOS文档: What is O7_DICTIONARY_accessIBILITY and how should it be set ? (文档 ID 206795.1)

中提到:

Versions PRIOR to Oracle 9i:~~~~~~~~~~~~~~~~~~~~~~~~~~~~The default of this parameter is TRUE.

Oracle 9i:~~~~~~~~~~The default of this parameter in 9i is FALSE.The FALSE setting requires login with AS SYSDBA to read the data dictionary, orto be given explicit object grants.

从9i开始, Oracle明确限定该参数的值为FALSE, 强烈不推荐用户更改该参数

该参数限定了sys用户必须以sysdba 的身份进行登陆

或许有些很奇葩的需求,例如某位领导说: 我任性,我必须要用sys用户以普通身份就能登陆,

那么更改该参数,满足领导吧...

附录:

该MOS的全文:

QUESTIONS:What does the init.ora parameter named O7_Dictionary_Accessibility do?How does it affect my database, and how should it be set? ANSWERS:The parameter O7_Dictionary_Accessibility can be set to TRUE or FALSE.The affect on your database is different depending on whether you areusing Oracle 9i or a version previous to Oracle 9i.Versions PRIOR to Oracle 9i:~~~~~~~~~~~~~~~~~~~~~~~~~~~~The default of this parameter is TRUE.The dictionary protection mechanism in Oracle 8 prevents unauthorized users from accessing dictionary objects.Access to dictionary objects is restricted to the users with the system privileges SYSDBA and SYSOPER.System privileges providing access to objects in other schemas do not give access to dictionary objects.For example, the SELECT ANY TABLE privilege enables access to views and tablesin other schemas, but it does not enable you to select dictionary objects.If the parameter is set to TRUE, which is the default, access to objects in SYS schema is enabled (Oracle 7 behavior).If this parameter is set to FALSE, system privileges that allow access to objects in other schemas do not allow access to objects in the dictionary schema.For example, if O7_DICTIONARY_ACCESSIBILITY=FALSE, then the SELECT ANY TABLE statement enables access to views or tables in any schema except SYS schema. The system privilege, EXECUTE ANY PROCEDURE enables access on the procedures in any other schema except in SYS schema.Oracle 9i:~~~~~~~~~~The default of this parameter in 9i is FALSE.The FALSE setting requires login with AS SYSDBA to read the data dictionary, orto be given explicit object grants.Warning:~~~~~~~~Oracle has changed from versions 9.0.1 and beyond the default of this parameterto FALSE, and strongly recommends that you do not change back the parameter.In the process of turning Oracle Server secure out of the box, this was one ofthe reasons we decide to change the parameter.This way, you can't login with a "regular" SYS connection anymore to look updata dictionary.Instead, you should set your own dba accounts with appropriate privileges andpassWords.References:~~~~~~~~~~~Oracle University, Oracle 9i New Features For Adminstrators, Chapter 1, OracleServer Security, Page 1-5Oracle University, Oracle 8: Database Administration, Chapter 19, Managing Privileges, Page 19-15


发表评论 共有条评论
用户名: 密码:
验证码: 匿名发表