Re: Oracle Security

From: Karel Sprenger <ks_at_ic.uva.nl>
Date: Fri, 20 Jan 1995 10:06:37 MET
Message-ID: <ks.147.09D89569_at_ic.uva.nl>

In article <dscott-1901952321340001_at_dscott.is.net> dscott_at_is.net (David Scott) writes:

>In article <ks.146.04F279C4_at_ic.uva.nl>, ks_at_ic.uva.nl (Karel Sprenger) wrote:

>> In article <3fk3ti$7m4_at_redstone.interpath.net>
hcurtis_at_hcurtis.pdial.interpath.net writes:
>>
>> >Is anyone aware of a mechanism to disable "fastpathing" when entering
>> >an Oracle product (e.g. SQLPLUS). I'd like to force use of the
>> >prompting mechanism within Oracle. For example:
>> > Typing : SQLPLUS userid/password
>> > to enter the product works fine. The problem is, anyone executing
>> > a ps -ef now has the userid and password of a valid oracle account.
>> >Needless to say, this causing some excitment among our security folks.
>>
>> Except for switching to OPS$ usernames, the only mechanism would be to
>> "program" the users to stop entering their oracle username/password on the
>> command line. To help them, you might consider writing stubs for the oracle
>> tools that warn against this unsafe practice when used and otherwise start up
>> the actual tool.
>> Of course, the best solution would be if Oracle Corp changed the tools
>> themselves...
>>
>> Just my $0.02 worth,
>> Karel Sprenger <ks_at_ic.uva.nl>

>Excuse the simplicity, but aren't you missing the obvious? Just move the
>executable, and put a script file in its place that takes no arguments and
>calls the desired excutable. This simple "bait and switch" could be used
>with any version of Unix or Netware, and probably other OSes as well.

A script file doesn't help! I just wrote a script file sqlplus and called it as "sqlplus bla/bla". Here's what ps -e gives in another telnet session on the same machine:

PID TT STAT TIME COMMAND

 1323 p0 IW    0:02 -tcsh TERM=vt220 HOME=/u/ks SHELL=/usr/local/bin/tcsh
 1331 p0 IW    0:00 /bin/sh /u/ks/sqlplus bla/bla TERM=vt220 HOME=/u/ks
 1332 p0 IW    0:00 /usr/local/oracle/bin/sqlplus DOTDIR=/u/ks EDITMODE=vi
 1338 p1 S     0:01 -tcsh TERM=vt220 HOME=/u/ks SHELL=/usr/local/bin/tcsh
 1351 p1 R     0:00 ps -e TERM=vt220 HOME=/u/ks SHELL=/usr/local/bin/tcsh

Note the line for PID 1331? It's all there! So, until Oracle sees fit to "fix" their code, users have to learn NOT to enter their username/passwords in clear text anywhere.

Cheers,
Karel Sprenger <ks_at_ic.uva.nl>

Informatiseringscentrum                     | phone: +31-20-525 2302
Universiteit van Amsterdam                  |        +31-20-525 2741

Turfdraagsterpad 9, NL-1012 XT AMSTERDAM | fax : +31-20-525 2084 *** PGP Public Key available on servers *** | home : +31-20-675 0989 Received on Fri Jan 20 1995 - 10:06:37 CET

This message: [ Message body ]
Next message: Parris Geiser: "Re: Oracle Security"
Previous message: Bob King: "Re: Hmmm.... Oracle from vax to alpha"
Maybe in reply to: hcurtis_at_hcurtis.pdial.interpath.net: "Oracle Security"
In reply to hcurtis_at_hcurtis.pdial.interpath.net: "Oracle Security"
Next in thread: Parris Geiser: "Re: Oracle Security"
Reply: Frank Roscher: "Re: Oracle Security"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message