Re: concealing system password from AIX ps

From: Mark Fox <Mark.Fox_at_ColumbiaSC.ATTGIS.COM>
Date: 1995/05/03
Message-ID: <D80L3n.L6B_at_ncrcae.ColumbiaSC.ATTGIS.COM>#1/1

I don't know if this will work in AIX, but works in other systems.

Try the following:
The first questin that must be asked is why do you have users with shell access on your production systems. Remove all shell access capability and you've solved the problem. If you have to give the users shell access, put them into a restricted shell. Create a new /usr/bin directory and call it /usr/rbin. Copy everything from /usr/bin into /usr/rbin. Remove any program that you don't want them accessing. Remove the Sticky bit from the PS command so it won't display all processes. Create a /home/rhome directory to be used as their home directory when in the restricted shell. Then just prior to placing them into the restricted shell, set HOME=/home/rhome and PATH=/usr/rbin. This will keep them from having free roam in your system and also restrict the capabilities of the PS command. I don't think this is your solution if you are having true development on the same system that you are protecting. The restricted shell will hamper your development. You could still do something about the sticky bit of the PS command and make sure that it is in the start of the PATH. Unfortunately, once your developers realize what is going on, they'll change their PATH or fully quality the PS command to pick up the original copy with the Sticky bit set on.

Mark Fox

>In article <3o46n3$143_at_camelot.qdot.qld.gov.au> John Blackburn writes:
>tritt_g_at_gw2.admin.ch wrote:
>> We have a problem protecting the information of
>> system or sys passwords when we use scripts
>> with SQL*Plus.

>> With exp and imp we can at least use a parameter file.

>> On our AIX machines the UNIX command ps ef
>> returns the parameters to every command, so
>> anyone can see sqlplus system/manager
>> (that's not really our password)
>> Other ps on other machines don't have this "feature",
>> according to Oracle support.

>> Has anyone a solution? It should be easy ...
>
>This needs to be in the Oracle FAQ as this question seems to be asked
>once or twice a week.
>
>(BTW, where is the Oracle FAQ stored and/or Maintained?)
>
>--
>
>John Blackburn Phone: +61 7 2534634
>jb2_at_qdot.qld.gov.au Fax: +61 7 8541194
>>

AT&T Global Information Solutions
Mark Fox (Advanced Manufacturing Systems) Mark.Fox_at_ColumbiaSC.ATTGIS.COM
(803) 939-6363 Received on Wed May 03 1995 - 00:00:00 CEST

This message: [ Message body ]
Next message: Peter Grant: "User Groups FAQ"
Previous message: shcho_at_banmail.ml.com: "negative dates in v$ tables"
Maybe in reply to: John Blackburn: "Re: concealing system password from AIX ps"
In reply to John Blackburn: "Re: concealing system password from AIX ps"
Next in thread: Lisa Roderick: "Re: Oracle V7"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message