Re: Oracle Security

Karel Sprenger (ks_at_ic.uva.nl) wrote:
: In article <dscott-1901952321340001_at_dscott.is.net> dscott_at_is.net (David Scott) writes:
 

: >Excuse the simplicity, but aren't you missing the obvious? Just move the
: >executable, and put a script file in its place that takes no arguments and
: >calls the desired excutable. This simple "bait and switch" could be used
: >with any version of Unix or Netware, and probably other OSes as well.
 

: A script file doesn't help! I just wrote a script file sqlplus and called it
: as "sqlplus bla/bla". Here's what ps -e gives in another telnet session on the
: same machine:
 

: PID TT STAT TIME COMMAND
: 1323 p0 IW 0:02 -tcsh TERM=vt220 HOME=/u/ks SHELL=/usr/local/bin/tcsh
: 1331 p0 IW 0:00 /bin/sh /u/ks/sqlplus bla/bla TERM=vt220 HOME=/u/ks
: 1332 p0 IW 0:00 /usr/local/oracle/bin/sqlplus DOTDIR=/u/ks EDITMODE=vi
: 1338 p1 S 0:01 -tcsh TERM=vt220 HOME=/u/ks SHELL=/usr/local/bin/tcsh
: 1351 p1 R 0:00 ps -e TERM=vt220 HOME=/u/ks SHELL=/usr/local/bin/tcsh
 

: Note the line for PID 1331? It's all there! So, until Oracle sees fit to "fix"
: their code, users have to learn NOT to enter their username/passwords in clear
: text anywhere.

call sqlplus from the shell-script via exec:

exec ${ORACLE_HOME}/bin/sqlplus

after this ORACLE sqlplus use the same unix-process-table entry and your script and the arguments does'nt longer exist

Ciao,
frank

--
Frank Roscher        frank.roscher_at_guug.de