Re: Hiding username/password from ps
Date: 1995/12/26
Message-ID: <30E08B4D.332F7A72_at_fsl.noaa.gov>#1/1
I just did a ps on my system while connected to sqlplus with uname/passwd supplied, and it reveals the supposedly hidden passwd too. I'm glad you brought this up, else I may not have noticed it for a while. BTW, I'm using sqlplus ver. 3.2.2 supplied with O7 ver. 7.2.2.3 (now patched to 7.2.2.4) which is the latest and greatest that I'm aware of.
I guess the only "secure" method of starting sqlplus (or perhaps any Oracle utility) is to not supply the passwd on the command line. It makes sense that any command you run with arguments will normally have those arguments listed via ps, unless the called command does something to suppress them. Hopefully, Oracle will provide a patch to make their code behave as in your first example.
Scott Buennemeyer
NOAA/FSL/FRD & IP Unix System Administrator
Boulder, CO
Don Brown wrote:
My version V6.0.36.0.1 of sqlplus doesn't display the uid/passwd on the
command line:
sqlplus scott/tiger
from another shell:
My version 7.0.16.6.0 sqlplus, however, does:
ps -ef | grep sql
I don't know why I get this behavior, but I do. Perhaps the version 6
sqlplus has been patched so it doesn't show the arguments.
Don
ps -aux | grep sql
don 3182 0.0 0.2 32 208 p0 S 15:34 0:00 grep sql
don 3179 0.0 0.5 184 488 p1 S 15:34 0:00 sqlplus
don 4416 4401 3 15:37:13 pts/1 0:00 grep sql
don 4412 4383 24 15:36:56 pts/0 0:00 sqlplus scott/tiger
Boeing Computer Services, Richland
(509) 376-6990
don_brown_at_rl.gov
Received on Tue Dec 26 1995 - 00:00:00 CET