Re: Security question: sqlplus and the ps cmd on Unix

From: Gary Broxterman <Gbroxterman_at_hertz.com>
Date: 1995/04/03
Message-ID: <3lpgm9$og4_at_romulus.ucs.uoknor.edu>#1/1

What we did was write a C program that will pipe the output into sqlplus.

We have a master script called SQLplus that actually executes the C program. All production sql jobs then call this SQLplus script with the actual sql code fed in with 'here documents' .

#!/bin/ksh
# Script name: SQLplus
# Function   : Driver script to send userid/passwd to sqlplus
# Calls      : pwdpgm (password program).
# Returns    : nothing

pwdpgm | sqlplus -s

# end

The password program accepts a userid. The password for that user is then returned in the format of userid/passwd.

The only problem with this, is that when the applications programmers need to get a "FIRECALL" id to fix a production problem. They are able to run the pwdpgm directly and return the password. WE then must change it each time.

In article <3legd1$d9t_at_nic.ott.hookup.net>, GrahamB_at_psac.com (Brian Graham) says:
>
>In article <3ld2nr$iok_at_clarknet.clark.net>, nardone_at_clark.net (Joe Nardone) says:
>>
>>Eli Haber (haber_at_panix.com) wrote:
>>: I am having a security problem with Oracle and Unix.

>>: The problem is this: If you use the Unix ps command to
>>: see what processes are running and you use the -f option,
>>: you can see the entire command line entered by another
>>: user, thus enabling you to see their password.

>>: Is there any way around this?
>>
>>Yes- don't type your password on the command line.
>>
>>This is not a security problem, this is carelessness on the
>>part of your users.
>>
>>SOme other possibilities on getting around this (with varying levels of
>>security)-
>>1. use OPS$ accounts. THen they can log in to Oracle using
>> sqlplus /
>>
>>2. tell them to create a shell script with the right permissions
>> (700) that contains
>> sqlplus user/password
>>
>>Joe
>
> These are good suggestions. We use OPS$ here. Another way would be to
>throw a ps script earlier in the user's path, limiting access to the
>real one. Of course, that is assuming users need access to the OS. On our
>UNIX box, users are thrown immediately into the application and escorted
>out as well.
> Brian
>--
>Brian Graham .
>Programmer / DBA ._______|_______. Tel: 613-560-5470
>Public Service Alliance \(*)/ Fax: 613-563-3492
>of Canada o/ \o Email: grahamb_at_psac.com
Received on Mon Apr 03 1995 - 00:00:00 CEST

This message: [ Message body ]
Next message: Todd Helfter: "OCI to remote database (or ORATCL)"
Previous message: Tony Jambu: "Re: Security question: sqlplus and the ps cmd on Unix"
Maybe in reply to: Dave Mausner: "Re: Security question: sqlplus and the ps cmd on Unix"
In reply to Brian Graham: "Re: Data Browser ??"
Next in thread: Brian Graham: "Re: Moving Database Files"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message