Re: Oracle Security
Date: 20 Jan 1995 23:31:37 GMT
Message-ID: <3fph4p$gfg_at_athos.cc.bellcore.com>
Karel Sprenger (ks_at_ic.uva.nl) wrote:
> In article <3fk3ti$7m4_at_redstone.interpath.net> hcurtis_at_hcurtis.pdial.interpath.net writes:
> >Is anyone aware of a mechanism to disable "fastpathing" when entering
> >an Oracle product (e.g. SQLPLUS). I'd like to force use of the
> >prompting mechanism within Oracle. For example:
> > Typing : SQLPLUS userid/password
> > to enter the product works fine. The problem is, anyone executing
> > a ps -ef now has the userid and password of a valid oracle account.
> >Needless to say, this causing some excitment among our security folks.
> Except for switching to OPS$ usernames, the only mechanism would be to
> "program" the users to stop entering their oracle username/password on the
> command line. To help them, you might consider writing stubs for the oracle
> tools that warn against this unsafe practice when used and otherwise start up
> the actual tool.
> Of course, the best solution would be if Oracle Corp changed the tools
> themselves...
> Just my $0.02 worth,
> Karel Sprenger <ks_at_ic.uva.nl>
+++ Or you can solve the problem within UNIX by defining your own +++ sqlplus command in the directory of PATH that comes before ORACLE, e.g., +++ in /usr/bin. This command could check for a usr/pwd type +++ paramter and if it exists, display an error message and exit. +++ Using this type of idea you can get more and more tricky. Just my $0.01 worth, parrisReceived on Sat Jan 21 1995 - 00:31:37 CET