Re: Keeping Passwords Secure

In article <1994Sep16.135357.26557_at_emba.uvm.edu>

           wvan_at_moose.uvm.edu "Warren Van-Wyck" writes:

[stuff deleted]

> I asked a similar question a few months ago but never got an answer.
> It appears that the program that is running can alter what appears in
> the 'ps -f' display for commands. In fact for 'runform' (aka 'iad')
> if a UserId/Password is entered on the command line, it does NOT show
> in a 'ps' display (at least for AIX 3.2.5 and SQL*Forms 3.0).

As far as I recall (this is from home), entering a user/password on the command line for any Oracle program on the Sequent at work means that they can be seen using ps -ef. On an Ultrix box however, there are spaces where you would expect the un/pwd to be.

> So Oracle has demonstrated that they can do something.
> The outstanding question is why they don't do the same sort of
> modification for SQL*Plus and save the Oracle users (us) another
> round of these discussions and also provide some elementary
> security for UserId/Passwords? ? ?

I believe that Oracle do what they can but that the problem is caused by Unix. I'm no Unix expert but, as I recall, you can see the password on System V (eg Sequent) but not on BSD (eg Ultrix). It has something to do with the permissions on the file which holds the process details. For BSD Oracle can (and does) write to this file but, for System V, it's not allowed to. Any Unix experts out there like to expand on this or tell me that I'm completely wrong?

>
>
> : You have have only 2 good options as I see them. 1) change the behavior
> : of ps or 2) change the behavior of sqlplus.
>
> Oracle should change the behavior of sqlplus.
>

How about a third - change the behaviour of Unix

Regards

Ian

-- 
---------------------------------------------------------------------
Ian Dixon                          email: ian_at_syntaxis.demon.co.uk
Freelance Oracle Developer
Reading, England