John, Search on Metalink for 'hide'. It's a simple c routine that buffers out ps output such that you can't see username/passwords when scraping the process list. Method of install is to take any password oriented binary (exp, sqlldr, tkprof, sqlplus, imp ...) and rename it exp.hide, tkprof.hide ... You then create a soft link between hide and the now nonexistent binary. When you execute tkprof, hide kicks in and masks any parameters such that ps output shows only tkprof (and not tkprof system/manager ...). The Metalink document describes this in detail (so I remember).
I use it as a standard part of all Oracle version installs. It's not the be all end all, however. I've heard (but not seen) that some bsd ps versions (which I do not know) have parameters to circumvent such buffering. That said, having hide in place is a good step in the right direction. You might be careful, but someone else might get lazy and throw passwords at sqlplus ready for compromise. Hide will give you protection in this case. I believe some previous recommendations involved storing passwords in scripts. Although functional this method simply presents another security risk. Unless you have strict directory or file perms on such scripts, they too could be compromised. :-( HTH, Casey -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Casey Dyke INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
