Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: sqlplus security

Re: sqlplus security

From: <mujeeb_ur_rehman_at_hotmail.com>
Date: Sun, 21 Jun 1998 15:06:32 GMT
Message-ID: <6mj7hn$81f$1@nnrp1.dejanews.com> 





Well to make people enter username and password u can do one thing that
rename the sqlplus program to some other name and then make shell script that
call sqlplus this way even if users supply parameter to it their will be no
effect of it.



Second simply restrict access to ps command. Why other people need that in the
first place.



Or u as administrator use ps and if found anyone using sqlplus
username/password, go and change the password of the user this will teach them
the lesson not to use in this way.



Now it is up to u what ever way u want to control this :)






In article <uvhpxsgqz.fsf_at_us.oracle.com>,
  rwessman_at_us.oracle.com wrote:


>


> This will work, but it is very dangerous. Using this method, a user on a PC


> can impersonate any database user. Use it with care.


>


> Another, more secure, method would be to use one of the mechanisms supported


> by the Advanced Networking Option.


>


>                                         Rick


>                                         Rick Wessman


>                                         Distributed Data Security


>                                         Oracle Corporation


>                                         rwessman_at_us.oracle.com


>


> "Bao Phan" <baophan_at_nmmcc.com> writes:


>


> >


> > You can consider using OS authentication method, OS user/password will be


> > used when login in to oracle database. You can then run sqlplus by typing


> > sqlplus /


> >


> > Bao Phan - DBA.


> >


> > Bobby Mander wrote in message <6m5tip$rgp_at_anchor.cis.att.com>...


> > >Hi.  Is there any way to prevent users from logging in


> > >to the database using:


> > >


> > >$ sqlplus <user>/<password>


> > >


> > >This presents a security problem since anyone doing a ps


> > >can pick these up.


> > >


> > >We would like people to login using:


> > >$ sqlplus


> > >Enter user-name: <user>


> > >Enter password:  <password>


> > >


> > >Alternatively can sqlplus disguise it's command line arguments so no one


> > >can pick them up?


> > >


> > >--


> > >---------------------------------------------------


> > >Bobby Mander          bum_at_hyperplane.com


> > >Hyperplane, Inc.      bmander_at_att.net


> > >                      http://home.att.net/~bmander/


> >


> >


>






-----== Posted via Deja News, The Leader in Internet Discussion ==-----
http://www.dejanews.com/   Now offering spam-free web-based newsreading
Received on Sun Jun 21 1998 - 10:06:32 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US