Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Allowing users to execute shell scripts without seeing password

Re: Allowing users to execute shell scripts without seeing password

From: Joseph Amalraj <>
Date: Mon, 20 Feb 2006 07:39:06 -0800 (PST)
Message-ID: <>

Basically, the /etc/password file is also a password server.   If the desired script is put in place of the shell, the 7th item of the line. This userid can be become to an application id.    

  Users who have to use this script will have to su to it and enter the application password. It is also possible to limit the number of users who can su to the application id (this depends on the unix platform).    

  Joseph Amalraj

Jared Still <> wrote:     

If the user has read permissions on the password file, as would be required by this scenario, then nothing is solved.

It does make it much easier for the user to access the passwords directly, as they are now stored in one place.

A better solution is a password server that stores the passwords in an encrypted file, authenticates users and allows them to retrieve only the passwords they are authorized to see.

We are implementing Enterprise Password Server from Argosy Telecrest to do that for the SA's for server passwords.

I use a password server written in Perl that allows retrieving passwords from the command line (or in scripts) and has an API for Perl.

Well of course it is written in Perl.


If you get the password server running, ask me and I will supply the one that works with an encrypted password file.

It has its shortcomings. It should work with certificates rather than a passphrase stored in a users file. Lack of time and insufficient motivation have prevented that particular problem from being resolved.

It is however much better than a user-readable password file.

Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist   

Received on Mon Feb 20 2006 - 09:39:06 CST

Original text of this message