Re: Keeping Passwords Secure

From: John A. Karnes <karnesj_at_source.asset.com>
Date: 30 Sep 1994 09:23:39 -0400
Message-ID: <36h3gr$qi8_at_source.asset.com>

In article <779830068snz_at_syntaxis.demon.co.uk>, Ian Dixon <Ian_at_syntaxis.demon.co.uk> wrote:
>In article <1994Sep16.135357.26557_at_emba.uvm.edu>
> wvan_at_moose.uvm.edu "Warren Van-Wyck" writes:
>
>[stuff deleted]
>
>> I asked a similar question a few months ago but never got an answer.
>> It appears that the program that is running can alter what appears in
>> the 'ps -f' display for commands. In fact for 'runform' (aka 'iad')
>> if a UserId/Password is entered on the command line, it does NOT show
>> in a 'ps' display (at least for AIX 3.2.5 and SQL*Forms 3.0).
>> So Oracle has demonstrated that they can do something.
>> The outstanding question is why they don't do the same sort of
>> modification for SQL*Plus and save the Oracle users (us) another
>> round of these discussions and also provide some elementary
>> security for UserId/Passwords? ? ?
>
>I believe that Oracle do what they can but that the problem is
>caused by Unix. I'm no Unix expert but, as I recall, you can see
>the password on System V (eg Sequent) but not on BSD (eg Ultrix). It
>has something to do with the permissions on the file which holds
>the process details. For BSD Oracle can (and does) write to this
>file but, for System V, it's not allowed to.
>Any Unix experts out there like to expand on this or tell me that
>I'm completely wrong?
>

I make no claims to being a Unix expert, but in my experience, at least with AIX and C, when I don't want the command line parameters to a program to show up with "ps", I just do the following after I get the values I need:

strcpy(argv[1], '\0');

That way nothing but the command name shows up with "ps". Surely Oracle is capable of doing the same thing with its products. Unfortunately, they don't seem to be, because sure enough, username/passwd show up just fine on our system if you give them on the command line and then do a "ps". So what gives Oracle? Is the above statement some never before discovered method for blanking out command line parameters for executables?

John Karnes
ASSET Received on Fri Sep 30 1994 - 14:23:39 CET

This message: [ Message body ]
Next message: hatchg_at_neosoft.com: "WWW Oracle Site?"
Previous message: Bill Busch: "Re: Oracle Documentation, and Support.."
Maybe in reply to: Michael Nolan: "Re: Keeping Passwords Secure"
Next in thread: Chris Barr: "Re: LOV Contention on Netware?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message