Re: Keeping Passwords Secure

From: Jgreene <jgreene_at_aol.com>
Date: 26 Sep 1994 19:21:02 -0400
Message-ID: <367l0u$aq8_at_newsbf01.news.aol.com>


Regarding the general thought of this thread as to how to provide a means of keeping Oracle passwords from being available to anyone who knows how to issue a ps command:

In my experimentation at work with this problem, I found that our best alternative was to create a file called password for the user that runs our jobs (our operator account). This file is owned by that user and protected 400 (only owner can read, nothing else) in a directory in which only that user can write. The password file contains the user's Oracle password.

Now, to run a script for that user, we have them execute a script that contains a line similar to:

     $ sqlplus user-name _at_script-name < password-file

This executes the script specified by script-name under the Oracle account user-name. When SQL*Plus starts, its first prompt is for a password. This request is handled by the redirection of standard input from the password file (which contains the user's Oracle password). When you run a ps -ef on the query, you receive a line that contains:

     [...standard process ID, date, etc info...] sqlplus user-name _at_script-name

The password was never executed as a command (as it was in several earlier suggestions) and therefore it should never appear in ps -ef. Only the user can read the data file that contains the password. Anyway, it seems to have worked for us. Hope this helps. Received on Tue Sep 27 1994 - 00:21:02 CET

Original text of this message