hi peter, thanx for your advice. i'll change it asap. sorry, i havn't seen your previous message.
regards daniel > -----Original Message----- > From: Peter Conrad [mailto:[EMAIL PROTECTED] > Sent: Montag, 17. M�rz 2003 16:10 > To: [EMAIL PROTECTED] > Subject: Re: Insecure example in /etc/init.d/sapdb74 > > > Hi, > > about 3 months ago I sent this email to the list. Since then, nobody > has replied to it (at least I haven't seen any replies), and the > issue is still present in sapdb-srv74-7.4.3.10-1. > > Could someone from SAP please comment? > > Bye, > Peter > > On Fri, Dec 06, 2002 at 11:29:00AM +0100, Peter Conrad wrote: > > Hi, > > > > (I'm talking about the version in > sapdb-srv74-7.4.3.7beta-1.i386.rpm here.) > > > > The script /etc/init.d/sapdb74 contains a section for > starting / stopping > > the example database after / before the XSERVER has been > started / is > > stopped. It is commented out per default and looks like this: > > > > # to enable auto start/stop testdb remove > following comments > > #echo -n "Starting TEST db: " > > #DBMCLI=$X_PATH/dbmcli > > #if [ ! -x $DBMCLI ]; then > > # echo "dbmcli not found" >&2 > > # exit 5 > > #fi > > #$DBMCLI -d TST -u dbm,dbm db_warm> /dev/null & > > > > The problem is that the DB operator username and password > are specified > > on the commandline and are therefore visible to any local > user who happens > > to run "ps -ax" at that time. Example: > > > > [EMAIL PROTECTED]:~ > ps -axwwwww|grep dbmcli > > 2325 pts/10 S 0:00 /opt/sapdb/indep_prog/bin/dbmcli > -d TST -u DBM,DBM db_warm > > 2333 pts/7 S 0:00 grep dbmcli > > [EMAIL PROTECTED]:~ > > > > > While this is probably not a serious issue for the example > database it > > could become serious if the example code is modified for a > production > > database. > > > > I'd recommend changing the DBMCLI command to > > > > $DBMCLI -s -d TST <<__EOI__ > > user_logon dbm,dbm > > db_warm > > __EOI__ > > > > Bye, > > Peter > > -- > Peter Conrad Tel: +49 6102 / 80 99 072 > [ t]ivano Software GmbH Fax: +49 6102 / 80 99 071 > Bahnhofstr. 18 > 63263 Neu-Isenburg > > Germany > _______________________________________________ > sapdb.general mailing list > [EMAIL PROTECTED] > http://listserv.sap.com/mailman/listinfo/sapdb.general > _______________________________________________ sapdb.general mailing list [EMAIL PROTECTED] http://listserv.sap.com/mailman/listinfo/sapdb.general
