ORA-01994: GRANT failed: password file missing or disabled

刘泽宇

现象：
Trying to grant SYSDBA to SYSTEM or any other user fails with :

ORA-01994: GRANT failed: password file missing or disabled

However, when using truss or tusc or any other tool to trace OS system calls, you can verify the passwordfile exists :

stat("/oracle/home/10202/dbs/orapwmysid", 0x800003ffbfffb2d0) = 0

stat("/oracle/home/10202/dbs/orapwmysid", 0x800003ffbfffb2d0) = 0



原因：
The passwordfile is not owned by the oracle code owner (by default this is 'oracle').

This error happens when you use 10.2 for the following reasons:

1. If there is no valid passwordfile even with parameter remote_login_passwordfile = exclusive and you login and startup the instance using OS authentication.

No more check is done on the existence and validity of the passwordfile where in previous versions an ORA-1990 would have occurred. This however appears to be a 'feature' as this behaviour is regarded as 'not a bug' in bug 5352417 such that on 10.2, this behaviour has been modified so that password file checking does not take place during DB mount nor DB creation. That's why you do not get the ORA-1990 anymore.

This is no security violation, since the user that starts the database does not require the passwordfile to login AS SYSDBA.

2. Now the second reason is : even if there is a passwordfile $ORACLE_HOME/dbs/orpw$ORACLE_SID , it is mandatory that it is owned by the same Unix user that owns the instance, typically 'oracle'. This extra check was added for security reason.


处理方法：
1. Login as the same unix user that owns the file $ORACLE_HOME/bin/oracle and (re)create the passwordfile as follows:


$ orapwd file=$ORACLE_HOME/dbs/orapw$ORACLE_SID password=newsyspassword entries=16 force=y
2. Then grant SYSDBA to all db users that should have this privilege, verify checking dynamic view V$PWFILE_USERS.

3. To check the correct ownership issue the following command:

$ ls -l $ORACLE_HOME/dbs/orapw$ORACLE_SID
The output would typically be:

-rwSr----- 1 oracle dba 4096 Sep 15 /home/10202/dbs/orapwmysid
The commands to get to this are:  


$ chown oracle:dba $ORACLE_HOME/dbs/orapw$ORACLE_SID

$ chmod 4640 $ORACLE_HOME/dbs/orapw$ORACLE_SID