Re: Hide SqlPlus username/password in UNIX Script
From: Tim X <timx_at_spamto.devnul.com>
Date: 24 Apr 2003 15:22:38 +1000
Message-ID: <87he8osc4h.fsf_at_tiger.rapttech.com.au>
Date: 24 Apr 2003 15:22:38 +1000
Message-ID: <87he8osc4h.fsf_at_tiger.rapttech.com.au>
>>>>> "Gil" == gilgantic <gilgantic_at_yahoo.com> writes:
Gil> I want to hide the username and password when I run SqlPlus on Gil> in a UNIX script. How do I do this?
Gil> My original solution was to I execute the script under a super Gil> user (root user), which has no password, but the
Gil> Example of what I have so far ... echo "execute sample;" | Gil> $ORACLE_HOME/bin/sqlplus scott/tiger
Gil> Step 1: I login to UNIX using scott/tiger for username/password Gil> Step 2: I change to the Super User (ie. su superuser), which has Gil> no password Step 3: Run the script with following line ... echo Gil> "execute sample;" | $ORACLE_HOME/bin/sqlplus superuser/ I tried Gil> changing the username/password to the superuser. Gil> Of course, this failed. My reason for Step 3, was sinceGil> superuser had no password associated with it, it would Gil> automatically login.
Gil> Thanks! Gil
Just a couple of comments
- I hope I misunderstand your statement that the superuser has no password! If this is the case, the problem of your username/password being seen is irrelevent compared to the HUGE security hole of having a superuser without a password.
- If what you are really worried about is using the password on the command line, which means it is visible to anyone on the server who can run the ps command, then you might be interested in using a HERE document. This is a shell scripting technique where you use redirection so that a command takes its input from lines within the script itself. Using this technique means the password is not passed as a command line argument and therefore is not visible to the ps command. You can then use file permission settings (read permission) to restrict who can read the file and see the password in the script. Any decent book on unix scripting will cover here documents. Essentially you have the following structure
command <<EOF
line
line
line
EOF
Where everything from the first EOF is sent to the command, line at a
time and executed as if it had been entered via standard input.
Tim
-- Tim Cross The e-mail address on this message is FALSE (obviously!). My real e-mail is to a company in Australia called rapttech and my login is tcross - if you really need to send mail, you should be able to work it out!Received on Thu Apr 24 2003 - 07:22:38 CEST