I can't get this page to come up but I suspect it is an old piece of code
that pads a bunch of spaces so that the password is hidden when a user does
a "ps -ef" command. Beware, this is not foolproof. There are X-Windows
utilities in almost all incarnations of UNIX that show the complete line, no
matter how long it is. Also, I think in Solaris that you could probably
find it in /proc which is readable by the world.
There are a lot of arguments against this, but I have always found
externally identified accounts the easiest and least difficult to manage
solution to this problem. The main caveat is maintaining two separate
schemas when performing grants. If you do it from the start then it is
quite easy.
So, make yourself an "ops$oracle" account and grant it DBA. Then run the
jobs from the oracle crontab and start sqlplus like this: sqlplus /
Easy enough! I'm sure there will be security comments against this. If
someone has compromised your oracle UNIX account, then logging into the
database without a password as a dba is probably the least of your worries.
Hope this helps.
--Michael
-----Original Message-----
Sent: Tuesday, June 19, 2001 3:04 PM
To: Multiple recipients of list ORACLE-L
We recognized the same problem and found this program as an answer:
http://www.orafaq.org/scripts/c_src/hide.txt
Michael Armstead
Application Database Administrator, OCP-Certified
US Pharmaceuticals IT
Glaxo SmithKline
> -----Original Message-----
> From: Kris Austin [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, June 19, 2001 2:38 PM
> To: Multiple recipients of list ORACLE-L
> Subject: ps -ef | grep sqlplus
>
>
>
>
>
> hi,
>
> do you know how to hide oracle passwords from ps -ef? we pass in our pw in
> cron, and it shows up when you run ps -ef (to check unix processes). i
> recognize that is this NOT a smart thing to do...
>
> can anyone recommend a better way of supplying oracle passwords when
> scripts are connecting to oracle? do you use config files that store
> pws? just curious what everyone else is doing to plug this security hole.
>
> thanks,
> kris
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author: Kris Austin
> INET: [EMAIL PROTECTED]
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Armstead, Michael A
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Jenkins, Michael
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
