Re: Security Problems of using Pro-C
Date: Wed, 12 Jan 1994 20:58:48 GMT
Message-ID: <sachar.758408328_at_melpar>
alacy_at_hayes.com writes:
>We are in the process of writing some Pro-C programs which will be called via
>SQL*Menu. The question is how the Pro-C program should pick up the Oracle
>Name and Password? We are running Oracle ver 6, with Unix on a Solbourne
>Computer running Sun OS. We have come up with the following options:
>
>1. Hard code the name and password. This is not considered as valid
> solution.
>2. Pass the name and password as parameters to the Pro-C program. The
> problem with this option is that anyone with access to the Unix
> command "ps" can easily see the parameters.
>3. Store the name and password as environment variables and have the
> Pro-C program look there for them. The problem with this is there is
> an option to "ps" to which will show the environment.
>
>It appears that any of these options will allow people to see the passwords.
>But when I use an Oracle tool option 2 seems to work. Ie if I use
>
> sqlplus name/password _at_program
>
>The name and password does not show when I do a "ps". This appears to work for
>all the tools provided by Oracle. Does anyone know how to code a Pro-C program
>so that it does the same thing? I think this would cover my security problem
>of using Pro-C.
When a name/password combination are entered as a parameter, they should show up with the "ps" command, assuming the "-f" option is used.
Another possibility is to use the "<<" operator to pass the password
through standard input. For example,
sqlplus _at_program <<eoi
name/password
eoi
The above assumes you don't need to use standard input for any other input.
Safer yet:
sqlplus _at_program <<eoi
$SQL_ID/$SQL_PW
eoi
where SQL_ID & SQL_PW are not part of the environment (i.e. they are local to the script executing the sqlplus command).
I'm not sure of any security problems with using standard input, but I'm sure there are some... Received on Wed Jan 12 1994 - 21:58:48 CET