Re: Security question: sqlplus and the ps cmd on Unix

From: Mike Rife <rife_at_aarlo.moffitt.usf.edu>
Date: 1995/03/31
Message-ID: <3lhqma$l9i_at_mother.usf.edu>#1/1

In article <3lc7cg$m8a_at_athos.cc.bellcore.com>, parris_at_walleye.esp.bellcore.com (Parris Geiser) says:
>
>Eli Haber (haber_at_panix.com) wrote:
>> I am having a security problem with Oracle and Unix.

>> We have Oracle 7.1 installed on a SCO Unix server. Often.
>> people log in to the Server and run SQLPlus from there
>> using the command line:

>> sqlplus scott/tiger

>> (Of course, they use their own Oracle ID and password.)

>> The problem is this: If you use the Unix ps command to
>> see what processes are running and you use the -f option,
>> you can see the entire command line entered by another
>> user, thus enabling you to see their password.

>> Is there any way around this?
>
>I'll tell you what I did ...
>Use sqlplus -S -S -S .......... scott/tiger
>I.e., put in enough -S's so that the ps doesn't show the passwd.
>A kludge but it works.
> parris

What we did on SCO Unix was to remove the 'mem' Unix priviledge for the users' Unix accounts. So now when they do the 'ps' command they only get information about their own account's processes. We made this the default for the creation of Unix accounts on our system. We enable it for developers. Received on Fri Mar 31 1995 - 00:00:00 CEST

This message: [ Message body ]
Next message: AFL Bear: "Re: Proliant 4000/NetWare 3.12/Oracle 7"
Previous message: John Koors: "Re: Good 3rd. Party Report Writing Tools????"
Maybe in reply to: Stalker: "Re: Security question: sqlplus and the ps cmd on Unix"
In reply to Eli Haber: "Security question: sqlplus and the ps cmd on Unix"
Next in thread: AFL Bear: "Re: Proliant 4000/NetWare 3.12/Oracle 7"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message