Re: ps shows user/password under Unix - SUMMARY

Rich.Cannon_at_ColumbiaSC.NCR.COM writes:
>>Lee Parsons writes:
>>A number of people contacted me regarding thier experiences with
>>the ps command revealing username password combinations. With only
>>one exception all systems that did reveal the password are ATT
>>based systems and those that did not are BSD.
>
> On our NCR box (with AT&T unix) we have two versions of ps one with
> restricted access (/usr/sbin) and one with root access (/usr/bin).
> By using the restricted ps we have eliminated this security hole.

Not to nitpick but, I would argue that you have elimiated the current way to exploit the hole not the hole itself.

If you have oracle userid/passwords normally sitting unencrypted someplace then you have a problem designed into your system. By taking out ps your not removing the problem only covering it up. The only way to fix the problem is to change the design of the system/application.

I could ramble on for a while about security control but, the bottom line is that your solution requires that all future administrators/dbas/utilites disallow a feature that is generally considered to be acceptible ie) viewing all slots of the process table.

All it would take is for the new Jr. Unix Geek to load up that nifty new copy of gnups without thinking and suddenly your payroll password is visable to the guys on the shop floor. (ok, I'm making this up as I go. But you get the point :-)

To be fair, this is often not just the only way of handling the problem but also very reasonable given the environment. However, I don't think we can call this problem elimiated until Oracle changes the existing tools to allow a better way of passing in userid/passwd.

-- 
Regards, 

Lee E. Parsons                  		Baker Hughes Inteq, Inc
Oracle Database Administrator 			lparsons_at_exlog.com