RE: ps -ef | grep sqlplus

I can't get this page to come up but I suspect it is an old piece of code that pads a bunch of spaces so that the password is hidden when a user does a "ps -ef" command. Beware, this is not foolproof. There are X-Windows utilities in almost all incarnations of UNIX that show the complete line, no matter how long it is. Also, I think in Solaris that you could probably find it in /proc which is readable by the world.

There are a lot of arguments against this, but I have always found externally identified accounts the easiest and least difficult to manage solution to this problem. The main caveat is maintaining two separate schemas when performing grants. If you do it from the start then it is quite easy.

So, make yourself an "ops$oracle" account and grant it DBA. Then run the jobs from the oracle crontab and start sqlplus like this: sqlplus /

Easy enough! I'm sure there will be security comments against this. If someone has compromised your oracle UNIX account, then logging into the database without a password as a dba is probably the least of your worries.

Hope this helps.

--Michael

-----Original Message-----
Sent: Tuesday, June 19, 2001 3:04 PM
To: Multiple recipients of list ORACLE-L

We recognized the same problem and found this program as an answer:

http://www.orafaq.org/scripts/c_src/hide.txt

Michael Armstead
Application Database Administrator, OCP-Certified US Pharmaceuticals IT
Glaxo SmithKline

> -----Original Message-----
> From: Kris Austin [SMTP:kaustin_at_advance.net]
> Sent: Tuesday, June 19, 2001 2:38 PM
> To: Multiple recipients of list ORACLE-L
> Subject: ps -ef | grep sqlplus
>
>
>
>
>
> hi,
>
> do you know how to hide oracle passwords from ps -ef? we pass in our pw in
> cron, and it shows up when you run ps -ef (to check unix processes). i
> recognize that is this NOT a smart thing to do...
>
> can anyone recommend a better way of supplying oracle passwords when
> scripts are connecting to oracle? do you use config files that store
> pws? just curious what everyone else is doing to plug this security hole.
>
> thanks,
> kris
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author: Kris Austin
> INET: kaustin_at_advance.net
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Armstead, Michael A
  INET: maa25681_at_GlaxoWellcome.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Jenkins, Michael
  INET: Michael.Jenkins_at_Nextel.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).