Re: Q: embedding userid/password in scripts?

John P DeVoy wrote:
>
> I'm new to UNIX, and I want to develop some cron scripts that I
> can have log into the database and do some chores for me. I can
> do that trick just fine, but I'm not certain I'm handling the
> account name and password in the most secure manner possible.
>
> If you've done similar stuff in your shop, can you share with us
> how you handle the account name and password, together with any
> security issues. Thanks!!
> --
> ----------------------------------------------------------------
> John P De Voy "When amatuers dabble in databases ()
> DBA, NeXT Software Inc. people get hurt!" /\

You could use a flat file and read it in in a shell script, but there is also another option. I'm not sure what the name is in Oracle7 but in V6 it was called an OPS$ account. Basically you set up the user account in Oracle to be the same as the Unix login id and mark that account as a 'trusted' user. When that particular user runs sqlplus all you have to do is supply a / for the id/password. The db looks for a trusted account with the name of the unix login and if it finds it, completes the login without requiring any password.

The problem with either of these solutions is that if a user can login as the user who runs the script, then they can either type 'sqlplus /' and get in or simply read the file with the password in it. The best way to prevent that is to lock the Unix password so that login can't be used except from cron or by setuid programs. That should be very secure.

-- 
---
Allen Kirby			AT&T ITS Production Services
akirby_at_attmail.com		Alpharetta, GA.