Re: Security question: sqlplus and the ps cmd on Unix

From: Lee Parsons <lparsons_at_eskimo.com>
Date: 1995/03/30
Message-ID: <D69wsM.6LE_at_eskimo.com>#1/1

> Eli Haber (haber_at_panix.com) wrote:
> The problem is this: If you use the Unix ps command to
> see what processes are running and you use the -f option,
> you can see the entire command line entered by another
> user, thus enabling you to see their password.
>
> Is there any way around this?

The short answer is change the way ps works or change the way sqlplus works.

You can disable or front end ps so that regular users can't see comand line information.

You can front end sqlplus with a version that exec's the real sqlplus. Your exec could pass on NO arguments (forcing the user to key in the user/pwd) or you could put a bunch of spaces between sqlplus and the username/password combination. ps normally doesn't display the 500th character on the command line.

Oracle Support will fax you a copy to do the latter if you ask. (And pay your support bills)

-- 
Regards, 

Lee E. Parsons                  		
Systems Oracle DBA	 			lparsons_at_world.std.com

Received on Thu Mar 30 1995 - 00:00:00 CEST

This message: [ Message body ]
Next message: InsightAsc: "Re: COMPANIES USING ORACLE FINANCIALS"
Previous message: Todd Helfter: "Re: Security question: sqlplus and the ps cmd on Unix"
Maybe in reply to: Stalker: "Re: Security question: sqlplus and the ps cmd on Unix"
In reply to Eli Haber: "Security question: sqlplus and the ps cmd on Unix"
Next in thread: InsightAsc: "Re: COMPANIES USING ORACLE FINANCIALS"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message