Yes, I misunderstood. Once I change the password, I can no longer connect to the account.
My hasty little test was missing an important condition: I should have pretended I didn't know the password to the other database, which would prevent me from logging back on exploiting the db link. Wonder if there's a way around it though? I spent a few minutes looking for a way around that problem, and couldn't find one. Oracle may have covered the bases on this, they've had a few years to perfect it. Jared On Mon, 2003-12-22 at 21:19, Yong Huang wrote: > Hey, you're working late! > > OK. I think you misunderstood. I know you take SYSTEM as an example user. Let's > say it's SCOTT who has select_catalog_role. If you login to your own database > as SCOTT and change his password hash value, you don't know the clear text > password any more. How can you log out and log back in as SCOTT? That's why I > ask if you can use the link without logging out after changing the password? > > Yong > > --- Jared Still <[EMAIL PROTECTED]> wrote: > > It doesn't matter which account I logged into DB2 with, as > > long as that account has privileges to read DBA_USERS. > > > > SYSTEM was used simply because it was the only account > > on the database that could be logged into remotely, so > > my test could be run without switching between machines. > > > > If I had granted SELECT_CATALOG_ROLE to scott, I could > > have logged in as SCOTT and done the same. > > > > Jared > > > > On Mon, 2003-12-22 at 20:19, Yong Huang wrote: > > > Jared, > > > > > > I see you log out and log back in as SYSTEM to DB2. But how do you know the > > > password for SYSTEM to log back in with after you change it? > > > > > > What if you don't log out? When I tried that (i.e. not logging out), I got > > > ORA-1017. > > > > > > Yong Huang > > > > > > --- Jared Still <[EMAIL PROTECTED]> wrote: > > > > Environment: > > > > > > > > DB1: RH 8.0 with Oracle EE 9.2.0.4 > > > > > > > > DB2: Win2k SP3 with Oracle EE 9.2.0.1 > > > > > > > > SYSTEM user on each database initially have different passwords. > > > > > > > > It goes something like this: > > > > > > > > DB1: > > > > > > > > select password from dba_users where username = 'SYSTEM'; > > > > > > > > Let's say the result is 'AC424SDK4398' > > > > > > > > DB2: > > > > > > > > Logon to DB2 as SYSTEM. > > > > > > > > alter user SYSTEM identified by values 'AC424SDK4398'; > > > > create database link systemlink using 'DB1'; > > > > > > > > Logout, and log back on to DB2 as SYSTEM. > > > > > > > > select count(*) from [EMAIL PROTECTED]; > > > > > > > > Works for me in this environment. DB2 is compromised. > > > > > > > > HTH > > > > > > > > Jared > > > > > > > > > > > > > > > > On Mon, 2003-12-22 at 08:29, Yong Huang wrote: > > > > > > > > > Hi, Gregory, > > > > > > > > > > I only have access to Oracle 9.2 on my laptop. Here's my test. I have > > ORCL > > > > and > > > > > AUX1 databases, the latter created by RMAN DUPLICATE some time ago. I > > logon > > > > > AUX1 as SYSTEM. Set SYSTEM password hash value to the same as in ORCL. > > > > Create > > > > > link L to ORCL without password. Selecting from a table in ORCL @L > > (i.e. > > > > select > > > > > * from [EMAIL PROTECTED]) throws ORA-1017 invalid username/password. > > > > > > > > > > Alternatively, I logon as SYS and create a procedure owned by SYSTEM, > > with > > > > one > > > > > line execute imediate('select count(*) from [EMAIL PROTECTED]'). When I > > execute > > > > > system.<this procedure> as SYS, I get ORA-1005 null password given. (I > > > > could > > > > > use DBMS_SYS_SQL but using the execute immediate trick obviates the > > need to > > > > > remember the syntax in that undocumented package). > > > > > > > > > > If I use connect to current_user to create the link, I always get > > ORA-28030 > > > > > Server encountered problems accessing LDAP directory service. > > > > > > > > > > Could you try on your databases and show how you do it? As I said, this > > may > > > > be > > > > > a security problem. I'm just too ignorant of it and can't reproduce it > > for > > > > now. > > > > > > > > > > Yong Huang > > > > > > > > > > Norris, Gregory T [ITS] wrote: > > > > > > > > > > There's no reason I can see that he couldn't create the dblink first, > > and > > > > then > > > > > reset the password using the encrypted value. Alternately, the dblink > > > > could be > > > > > > > > > > created using the DBMS_SYS_SQL package... no knowledge of the current > > > > password > > > > > required. > > > > > > > > > > create database link foo > > > > > connect to current_user > > > > > using 'bar'; > > > > > > __________________________________ > > > Do you Yahoo!? > > > New Yahoo! Photos - easier uploading and sharing. > > > http://photos.yahoo.com/ > > > > > > > > > > __________________________________ > Do you Yahoo!? > New Yahoo! Photos - easier uploading and sharing. > http://photos.yahoo.com/ > -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jared Still INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).