Oracle Authentication and Authorization

Oracle supports two kinds of accounts: database accounts and operating system accounts. Operating system accounts are authenticated externally by the operating system and are generally preceded with OP$, whereas database accounts are authenticated against the database server. A number of users are created by default when the database is installed; some of these are integral to the correct operation of the database whereas others are simply created because a package has been installed. The most important database login on an Oracle server is the SYS login. SYS is god as far as the database is concerned and can be likened to the root account on UNIX systems or Administrator on Windows. SYS is installed with a default password of CHANGE_ON_INSTALL, although, as of 10g, the user is prompted for a password to assignwhich is good (various components that you install can define default usernames and passwordsAppendix C includes a list of more than 600 default account names and passwords). Another key account is SYSTEM. This is just as powerful as SYS and has a default password of MANAGER. Incidentally, passwords in Oracle are converted to uppercase making them easier to brute force if one can get a hold of the password hashes. Details such as usernames and passwords are stored in the SYS.USER$ table.

 SQL> select name,password from sys.user$ where type#=1; NAME                           PASSWORD ------------------------------ ------------------------------ SYS                            2696A092833AFD9F SYSTEM                         ED58B07310B19002 OUTLN                          4A3BA55E08595C81 DIP                            CE4A36B8E06CA59C DMSYS                          BFBA5A553FD9E28A DBSNMP                         E066D214D5421CCC WMSYS                          7C9BA362F8314299 EXFSYS                         66F4EF5650C20355 ORDSYS                         7EFA02EC7EA6B86F ORDPLUGINS                     88A2B2C183431F00 SI_INFORMTN_SCHEMA             84B8CBCA4D477FA3 MDSYS                          72979A94BAD2AF80 CTXSYS                         71E687F036AD56E5 OLAPSYS                        3FB8EF9DB538647C WK_TEST                        29802572EB547DBF XDB                            88D8364765FCE6AF ANONYMOUS                      anonymous SYSMAN                         447B729161192C24 MDDATA                         DF02A496267DEE66 WKSYS                          69ED49EE1851900D WKPROXY                        B97545C4DD2ABE54 MGMT_VIEW                      B7A76767C5DB2BFD SCOTT                          F894844C34402B67 23 rows selected. 

Both SYS and SYSTEM are DBA privileged accounts but on a typical system you'll also find at least a few more DBAsnamely MDSYS, CTXSYS, WKSYS, and SYSMAN. You can list all DBAs with the following query:

 SQL> select distinct a.name from sys.user$ a, sys.sysauth$ b where a.user#=b.grantee# and b.privilege#=4; NAME ----------------------------- CTXSYS SYS SYSMAN SYSTEM WKSYS 

(If you know a bit about Oracle and are wondering why I'm not using the DBA_USERS and DBA_ROLE_PRIVS views, see the last chapter in the Oracle sectionyou can't trust views.)

This is enough on users and roles at the moment. Let's look at how database users are authenticated.