Discussion on Login/Passwords with Unix Shell Scripts

This message is intended to discuss what methods Unix Admins/Oracle DBA's are using to protect their Oracle Logins/Passwords within the Unix system.

An example of the problem might be, someone who writes a shell script that calls sqlplus. Within this shell script they hard code in the Login and Password.
If the shell script is 'readable' by others, then that login/password is jepordized.
(and of course if it changes later, some poor sap must go back and change them all :-(

As I see it there are several of methods one could take for this issue. 1) Use 'Operating System Authorization' which removes the need for storing passwords, but is more difficult to setup and maintain for new DBA's 2) Use 'password' files that are protected by the operating system permissions The script would read the login/password combo from the file and use them in the sqlplus command. Not difficult, but sometimes people change permissions without thinking (ie chmod 666 *)
3) Hard code the login/password in the script( I hate this one for all the right reasons, end of discussion.)
4) Combo of 2 or 3(and maybe 1), Setup specific users with specific roles and privilages to restrict what the user ID can do. Better than 2 or 3 by itself, but again more admin work and the possibility someone comes in later, can't get something to work and does a grant dba privilage to the user id.

So what are your ideas, or how have you used these in the past? It would be nice to include some 'simple' examples for those who read these.

Thanks
Rick
Example of number 2, might be:
Create a file with the passwords,
read that file or 'execute' setting the env. variables . /dir1/dir2/set_env_vars.sh
sqlplus -s <<+
$dbuser/$dbpassword
exec pl_sql_pgm($l_var)
exit
+ Received on Fri May 05 2000 - 00:00:00 CDT