Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

as sysdba #115

Closed
walter-weinmann opened this Issue Nov 19, 2018 · 10 comments

Comments

Projects
None yet
3 participants
@walter-weinmann
Copy link

commented Nov 19, 2018

How can I connect to SYS ?

@pesse

This comment has been minimized.

Copy link
Member

commented Nov 19, 2018

You cannot at the moment. We'll need a new parameter for this.
Though I wouldn't recommend it, it might be a valuable feature.

@jgebal

This comment has been minimized.

Copy link
Member

commented Nov 19, 2018

I think it is acutally a really bad idea to run tests from a SYSDBA account.
I would not add this functionality to cli.
If you need access to execute and procedure just use a user accout with proper role/privilege.

@walter-weinmann

This comment has been minimized.

Copy link
Author

commented Nov 20, 2018

"Unfortunately, I'm working on software used by DBAs. For some code, access is restricted to the session user SYS. It is not my responsibility to handle this in any other way, but I don't want to exclude it from regression testing.

@pesse

This comment has been minimized.

Copy link
Member

commented Nov 20, 2018

What about adding a parameter but outputting a warning that it's not recommended to run tests as sysdba, @jgebal?
I agree with you but I can also see some edge cases in which it is hard to go a different route and I don't want to exclude these people (who might suffer already anyway :) )

@jgebal

This comment has been minimized.

Copy link
Member

commented Nov 20, 2018

I stand corrected @pesse
I've just realized that I gave exactly the same style of answer as Jeff Smith gave me, when I was asking for ability to drop multiple objects in SQLDeveloper navigator using Delete key. "We will not support that, as it's a bad idea (aka can be dangerous).

I do remember how disappointed I was though I find SQLDeveloper a great tool and Jeff is a great, very approachable guy. Always there to help.

So yes, I agree, utPLSQL-cli could have ability to run utPLSQL as sysdba.

It will require special permissions (unlocking) for SYS account, as by default it's blocked from executing code that runs with authid current_user.

This, and an additional warning on cli, should be more than enough to say - we do not encourage you to do this.

Do you think it should be cli or core responsibility to perform a check for SYS connection and raise a warning?

@pesse

This comment has been minimized.

Copy link
Member

commented Nov 20, 2018

So you're human after all ;)
Responsibility should be cli because I have to setup the connection in a special way already.

@pesse pesse added the enhancement label Nov 26, 2018

@pesse pesse added this to the 3.1.3 milestone Nov 26, 2018

@pesse pesse self-assigned this Nov 26, 2018

@pesse

This comment has been minimized.

Copy link
Member

commented Mar 15, 2019

I included the possibility to connect as SYSDBA, however every time I try to test it I get the following:

select ut.version() from dual;
ORA-06598: Nicht ausreichende INHERIT PRIVILEGES-Berechtigung
ORA-06512: in "UT3.UT", Zeile 1

@jgebal can you give me a hint what's causing this and can we circumvent it?

@pesse

This comment has been minimized.

Copy link
Member

commented Mar 15, 2019

Played around a bit with grant inherit privileges on user sys to public, but didn't change anything.
I guess I'm doing it wrong 😁
@walter-weinmann on which Oracle version are you? Can you run select ut.version() from dual from your sysdba role?

@jgebal

This comment has been minimized.

Copy link
Member

commented Mar 15, 2019

This is related to potential security risk when runnign packages that have AUTHID CURRENT_USER from SYS account.
Your code suddenly has DBA privs and can do whatever you want.

In general, you should never be using/running code that has AUTHID CURRENT_USER as SYS/SYSDBA unless you're 100% sure noone was messing with that code.

So you need to execute:
GRANT INHERIT PRIVILEGES ON USER SYS TO UT3;
ut again - probably bad idea and probably most DBAs would kill you for this :)

@jgebal

This comment has been minimized.

@pesse pesse closed this in #133 Mar 19, 2019

pesse added a commit that referenced this issue Mar 19, 2019

Merge pull request #133 from utPLSQL/feature/connect_as_sysdba
- Adds some Unit-Tests around parsing connectString
- Allows user-part of the connectstring to contain "/" if enclosed in double quotes (e.g. "my/user"/pass@connectstring)
- Allows password-part of the connectstring to contain "@" if enclosed in double quotes (e.g. app/"myP@ssw/rd="@connecstring)
- Allows to connect as sysdba via adding the "as" part to the username (e.g. "sys as sysdba"/pass@connectstring) (Fixes #115)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.