Re: Keeping Passwords Secure

From: Lee E Parsons <lparsons_at_world.std.com>
Date: Tue, 27 Sep 1994 15:36:47 GMT
Message-ID: <CwsopC.9GA_at_world.std.com>

Ian Dixon <Ian_at_syntaxis.demon.co.uk> wrote:
> wvan_at_moose.uvm.edu "Warren Van-Wyck" writes:
>
>> So Oracle has demonstrated that they can do something.
>> The outstanding question is why they don't do the same sort of
>> modification for SQL*Plus and save the Oracle users (us) another
>> round of these discussions and also provide some elementary
>> security for UserId/Passwords? ? ?
>
>I believe that Oracle do what they can but that the problem is
>caused by Unix. I'm no Unix expert but, as I recall, you can see
>the password on System V (eg Sequent) but not on BSD (eg Ultrix). It
>has something to do with the permissions on the file which holds
>the process details. For BSD Oracle can (and does) write to this
>file but, for System V, it's not allowed to.
>Any Unix experts out there like to expand on this or tell me that
>I'm completely wrong?

This is pretty close. As I understand it your command line is stored in two places. One owned by the user and one owned by the system. The BSD ps reads this data from the user area (which can be altered by sqlplus) and the SV version reads it from the system area (which cant)

I dont think this is a fundimental problem with UNIX, but more a problem with ps being different between systems and vendors not being able to provide a solution that solves all cases.

Oracle hasn't done all they can because they dont always take advantage of being able to clear out the user/pwd on the systems where it is possible. You can change the command line as ps displays it under AIX 3.2.5 but oracle has decided not to make the change to sqlplus to take advantage of that fact.

This, even though they do take advantage of changing ps' output in other tools on the same platform. They do this even after Warren and I complained to them about the inconsistency. And they did this after I spend a month trying to convence them that they could fix the problem if they wanted to. I spent a month listening to the AIX port manager tell me I was an idiot and didn't really understand the problem and if I would listen to them I wouldn't be asking such a stupid question. I got this response even after providing a test case that proves that under AIX you can change what ps displays. In the end I gave up in frustration and the tar was closed with "Lee agreed that this is not really an Oracle issue".

Not my most pleasant experience with Oracle Support in case you can't tell. :-}

It is entirely possible that there is a valid reason why sqlplus can't make the change and forms (and my program) can. But support didn't make much of an effort to explain it. Should they for what we pay in support costs every year? I don't know. That is a debate for another day.

-- 
Regards, 

Lee E. Parsons                  		
Systems Oracle DBA	 			lparsons_at_world.std.com

Received on Tue Sep 27 1994 - 16:36:47 CET

This message: [ Message body ]
Next message: Andrew Dunstan: "Re: oraperl & oracle v7 anyone?"
Previous message: Jeff Perry: "100MB Import in 10 hours?"
Maybe in reply to: Michael Nolan: "Re: Keeping Passwords Secure"
Next in thread: Andrew Dunstan: "Re: oraperl & oracle v7 anyone?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message