Re: spawning sqlplus from a pro*c app; security

From: Jason Lisenchuk <jason.lisenchuk_at_nt.com>
Date: 25 Jan 1995 16:35:55 GMT
Message-ID: <jason.lisenchuk-2501951137290001_at_47.169.3.254>

In article <3g0tgtINN723_at_duncan.cs.utk.edu>, hamby_at_cs.utk.edu (Jeffrey Mark Hamby) wrote:

> Hi,
>
> I'm developing a client/server app using Oracle (7.0.16) on
> an IBM RS/6000 running AIX. A desired feature of this app
> is to allow the user to create a report, and the simplest
> way I've found to do this is to use a system call to sqlplus,
> something like:
>
> system("sqlplus uid/password command-file");
>
> The unfortunate part of this method is that someone logged
> onto the system while the above system call is running can
> use the "ps -ef" command, and he/she will get the entire
> string, notably the uid/password.
>
> Is there some way to pass the password to sqlplus from inside
> an app and not have this vulnerability? Thanks for any advice,
> pointers to a FAQ, etc., that you'd care to share.
>
> mark
> hamby_at_cs.utk.edu

Please consider the following alternatives:

Use private environment variable(s)

echo $RPT_PW | sqlplus REPORT_ID

2. Pipe info from plaintext file

cat $RPT_LOGIN_PARMS | sqlplus

3. Pipe info from encrypted file

$DECRYPT $ENCR_RPT_LOGIN_PARMS | sqlplus Received on Wed Jan 25 1995 - 17:35:55 CET

This message: [ Message body ]
Next message: Paul Berger: "Oracle7 Migration PL/SQL & ORA-03116 Errors"
Previous message: Paul Singer: "Re: Moving from OS/2 to Unix"
In reply to: Jeffrey Mark Hamby: "spawning sqlplus from a pro*c app; security"
Next in thread: Bill Meahan: "Re: HELP!! ACCESS ODBC ORACLE"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message