spawning sqlplus from a pro*c app; security

From: Jeffrey Mark Hamby <hamby_at_cs.utk.edu>
Date: 23 Jan 1995 13:45:49 -0500
Message-ID: <3g0tgtINN723_at_duncan.cs.utk.edu>

Hi,

I'm developing a client/server app using Oracle (7.0.16) on an IBM RS/6000 running AIX. A desired feature of this app is to allow the user to create a report, and the simplest way I've found to do this is to use a system call to sqlplus, something like:

system("sqlplus uid/password command-file");

The unfortunate part of this method is that someone logged onto the system while the above system call is running can use the "ps -ef" command, and he/she will get the entire string, notably the uid/password.

Is there some way to pass the password to sqlplus from inside an app and not have this vulnerability? Thanks for any advice, pointers to a FAQ, etc., that you'd care to share.

mark
hamby_at_cs.utk.edu Received on Mon Jan 23 1995 - 19:45:49 CET

This message: [ Message body ]
Next message: Joe Halpin: "user exit tips"
Previous message: DSS Unix Support: "Moving from OS/2 to Unix"
Next in thread: Jason Lisenchuk: "Re: spawning sqlplus from a pro*c app; security"
Reply: Jason Lisenchuk: "Re: spawning sqlplus from a pro*c app; security"
Maybe reply: Donald M. Brown: "Re: spawning sqlplus from a pro*c app; security"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message