Re: how to hide oracle password from a unix ps -ef | grep?

On 01/16/2004 01:34:45 PM, Tanel Poder wrote:
> Few ideas:
>
> 1) sqlplus /nolog
> connect user/pwd_at_host

This requres putting ASCII (non-encrypted) password in the SQL script. Not very safe.

>
> 2) . $HOME/.orapwd
> sqlplus user/$ORAPWD_at_host

This will actually show password because shell will interpret the ORAPWD variable before passing the arguments to fork/exec combination. Password will be clearly visible by "ps -ef".

>
> (.orapwd script has to set environment variable ORAPWD to the password)
>
> 3) sqlplus system_at_host < $HOME/.orapwd
>
> (.orapwd must contain one line, the password)

This is semi-decent because password is still in an ASCII file, but hidden. Root (SA) can still read it. If that's acceptable, it's OK, provided that the protection mask is set properly.

I would add
4) CREATE USER OPS$MLADEN identified externally - that uses OS authorization

   and can be easily cracked by root (su -) 5) Oracle advanced security. That is the best answer, supporting Radius, Kerberos and

   biometrics, but costs $$$$$$.

I would use 4, despite oracle's claims that this type of authorization is "discouraged" or "deprecated". So is RBO and yet it lives on. That is only a marketing pitch.

--
Mladen Gogala
Oracle DBA
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Mladen Gogala
  INET: mladen_at_wangtrading.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).