12.2 - Users Being granted The ALTER USER System Privilege Cannot Change SYS Password
In Oracle 12.2.0.1 and later, the user who is granted the ALTER USER system privilege is not able to change the SYS password as of Oracle RDBMS 12.2.0.1.
[oracle@akb ~]$ sqlplus system/Orapass_777
SQL*Plus: Release 12.2.0.1.0 Production on Tue May 9 09:11:38 2017
Copyright (c) 1982, 2016, Oracle. All rights reserved.
Last Successful login time: Tue May 09 2017 08:53:44 +03:00
Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production
SQL> select privilege from session_privs where privilege like 'ALTER USER%';
PRIVILEGE
----------------------------------------
ALTER USER
SQL> alter user sys identified by NewPassword_123;
alter user sys identified by NewPassword_123
*
ERROR at line 1:
ORA-01031: insufficient privileges
This was possible in the earlier versions :
[oracle@akb11 ~]$ sqlplus system/Orapass_999
SQL*Plus: Release 12.1.0.2.0 Production on Tue May 9 09:13:50 2017
Copyright (c) 1982, 2014, Oracle. All rights reserved.
Last Successful login time: Tue Apr 18 2017 17:13:10 +03:00
Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Advanced Analytics
and Real Application Testing options
SQL> select privilege from session_privs where privilege like 'ALTER USER%';
PRIVILEGE
----------------------------------------
ALTER USER
SQL> alter user sys identified by Oracle_555;
User altered.
Cause : This is the expected behaviour.
SOLUTION :
As of Oracle RDBMS 12.2 a user with ALTER USER privilege will no longer be able to alter any of the attributes(password, profile, quota, etc.) of the SYS user.
There is also, a workaround to address this issue. We can create a procedure under sys schema that include alter user command to change sys password and grant execute on this procedure to system user. Then run the procedure as system user and change the sys password as explained below.
## Test ##
show user;
sys
create procedure sys.changepwd(passwd in varchar2)
as
begin
execute immediate 'alter user sys identified by '||passwd;
end;
/
grant execute on sys.changepwd to system;
SQL> conn system/XXXX
Connected.
SQL>
SQL>
SQL>
SQL> exec sys.changepwd('NewPWD');
PL/SQL procedure successfully completed.
SQL>
SQL>
SQL>
SQL> conn sys/Newpwd@db12201nc as sysdba
Connected.
After going through your contents I realize that this is the best of my knowledge as it provides the best information and suggestions. This is very helpful and share worthy. If you are looking for the best Oracle 12c Goldengate Course then visit Akswave. Keep sharing more.
ReplyDelete