| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: Allowing users to execute shell scripts without seeing password
On 2/19/06, Michael Haddon <m.haddon_at_comcast.net> wrote:
>
> One solution you might consider is to store the password in another file
> that is read in by the setuid script. As the user executes the script, which
> he/she has read permissions on, the script can read an encrypted/plain text
> file that is only readable by the owner.
>
>
If the user has read permissions on the password file, as would
be required by this scenario, then nothing is solved.
It does make it much easier for the user to access the passwords directly, as they are now stored in one place.
A better solution is a password server that stores the passwords in an encrypted file, authenticates users and allows them to retrieve only the passwords they are authorized to see.
We are implementing Enterprise Password Server from Argosy Telecrest to do that for the SA's for server passwords.
I use a password server written in Perl that allows retrieving passwords from the command line (or in scripts) and has an API for Perl.
Well of course it is written in Perl.
See http://jaredstill.com/books.html
If you get the password server running, ask me and I will supply the one that works with an encrypted password file.
It has its shortcomings. It should work with certificates rather than a passphrase stored in a users file. Lack of time and insufficient motivation have prevented that particular problem from being resolved.
It is however much better than a user-readable password file.
Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist
-- http://www.freelists.org/webpage/oracle-lReceived on Sun Feb 19 2006 - 11:47:23 CST
 |
 |