Skip to content

as sysdba #115

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
walter-weinmann opened this issue Nov 19, 2018 · 10 comments · Fixed by #133
Closed

as sysdba #115

walter-weinmann opened this issue Nov 19, 2018 · 10 comments · Fixed by #133
Assignees
@pesse
Labels
enhancement
Milestone
3.1.3

Comments

@walter-weinmann
Copy link

How can I connect to SYS ?
@pesse
Copy link
Member

pesse commented Nov 19, 2018

You cannot at the moment. We'll need a new parameter for this.
Though I wouldn't recommend it, it might be a valuable feature.

@jgebal
Copy link
Member

jgebal commented Nov 19, 2018

I think it is acutally a really bad idea to run tests from a SYSDBA account.
I would not add this functionality to cli.
If you need access to execute and procedure just use a user accout with proper role/privilege.

@walter-weinmann
Copy link
Author

"Unfortunately, I'm working on software used by DBAs. For some code, access is restricted to the session user SYS. It is not my responsibility to handle this in any other way, but I don't want to exclude it from regression testing.

@pesse
Copy link
Member

pesse commented Nov 20, 2018

What about adding a parameter but outputting a warning that it's not recommended to run tests as sysdba, @jgebal?
I agree with you but I can also see some edge cases in which it is hard to go a different route and I don't want to exclude these people (who might suffer already anyway :) )

@jgebal
Copy link
Member

jgebal commented Nov 20, 2018
edited
Loading

I stand corrected @pesse
I've just realized that I gave exactly the same style of answer as Jeff Smith gave me, when I was asking for ability to drop multiple objects in SQLDeveloper navigator using Delete key. "We will not support that, as it's a bad idea (aka can be dangerous).

I do remember how disappointed I was though I find SQLDeveloper a great tool and Jeff is a great, very approachable guy. Always there to help.

So yes, I agree, utPLSQL-cli could have ability to run utPLSQL as sysdba.

It will require special permissions (unlocking) for SYS account, as by default it's blocked from executing code that runs with authid current_user.

This, and an additional warning on cli, should be more than enough to say - we do not encourage you to do this.

Do you think it should be cli or core responsibility to perform a check for SYS connection and raise a warning?

@pesse
Copy link
Member

pesse commented Nov 20, 2018

So you're human after all ;)
Responsibility should be cli because I have to setup the connection in a special way already.

@pesse pesse added this to the 3.1.3 milestone Nov 26, 2018
@pesse pesse self-assigned this Nov 26, 2018
@pesse
Copy link
Member

pesse commented Mar 15, 2019

I included the possibility to connect as SYSDBA, however every time I try to test it I get the following:

select ut.version() from dual;
ORA-06598: Nicht ausreichende INHERIT PRIVILEGES-Berechtigung
ORA-06512: in "UT3.UT", Zeile 1

@jgebal can you give me a hint what's causing this and can we circumvent it?

@pesse
Copy link
Member

pesse commented Mar 15, 2019

Played around a bit with grant inherit privileges on user sys to public, but didn't change anything.
I guess I'm doing it wrong 😁
@walter-weinmann on which Oracle version are you? Can you run select ut.version() from dual from your sysdba role?

@jgebal
Copy link
Member

jgebal commented Mar 15, 2019

This is related to potential security risk when runnign packages that have AUTHID CURRENT_USER from SYS account.
Your code suddenly has DBA privs and can do whatever you want.

In general, you should never be using/running code that has AUTHID CURRENT_USER as SYS/SYSDBA unless you're 100% sure noone was messing with that code.

So you need to execute:
GRANT INHERIT PRIVILEGES ON USER SYS TO UT3;
ut again - probably bad idea and probably most DBAs would kill you for this :)

@jgebal
Copy link
Member

jgebal commented Mar 15, 2019

See: https://docs.oracle.com/database/121/DBSEG/dr_ir.htm#DBSEG661

@pesse pesse mentioned this issue Mar 19, 2019
Merged
pesse added a commit that referenced this issue Mar 19, 2019
@pesse
Merge pull request #133 from utPLSQL/feature/connect_as_sysdba
bbc2ebc 
- Adds some Unit-Tests around parsing connectString
- Allows user-part of the connectstring to contain "/" if enclosed in double quotes (e.g. "my/user"/pass@connectstring)
- Allows password-part of the connectstring to contain "@" if enclosed in double quotes (e.g. app/"myP@ssw/rd="@connecstring)
- Allows to connect as sysdba via adding the "as" part to the username (e.g. "sys as sysdba"/pass@connectstring) (Fixes #115)
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@pesse pesse

Labels
enhancement
Projects
None yet
Milestone
3.1.3
Development

Successfully merging a pull request may close this issue.

Feature/connect as sysdba utPLSQL/utPLSQL-cli
3 participants
@jgebal @walter-weinmann @pesse