Re: Security Problems of using Pro-C

From: Alex Lind <alex_at_radiomail.net>
Date: 13 Jan 1994 22:05:54 GMT
Message-ID: <2h4gk2INN71m_at_nntp1.radiomail.net>


>>We are in the process of writing some Pro-C programs which will be called via
>>SQL*Menu. The question is how the Pro-C program should pick up the Oracle
>>Name and Password? We are running Oracle ver 6, with Unix on a Solbourne
>>Computer running Sun OS. We have come up with the following options:
>>
>>1. Hard code the name and password. This is not considered as valid
>> solution.
>>2. Pass the name and password as parameters to the Pro-C program. The
>> problem with this option is that anyone with access to the Unix
>> command "ps" can easily see the parameters.
>>3. Store the name and password as environment variables and have the
>> Pro-C program look there for them. The problem with this is there is
>> an option to "ps" to which will show the environment.
>>
>>It appears that any of these options will allow people to see the passwords.
>>But when I use an Oracle tool option 2 seems to work. Ie if I use
>>
>> sqlplus name/password _at_program
>>
>>The name and password does not show when I do a "ps". This appears to work for
>>all the tools provided by Oracle. Does anyone know how to code a Pro-C program
>>so that it does the same thing? I think this would cover my security problem
>>of using Pro-C.
>
>When a name/password combination are entered as a parameter, they
>should show up with the "ps" command, assuming the "-f" option is
>used.
>
>Method 3 is probably a safer bet than Method 2 because some versions
>of "ps" do not have the environment option.
>
>Another possibility is to use the "<<" operator to pass the password
>through standard input. For example,
>
> sqlplus _at_program <<eoi
> name/password
> eoi
>
>The above assumes you don't need to use standard input for any other
>input.
>
>Safer yet:
>
> sqlplus _at_program <<eoi
> $SQL_ID/$SQL_PW
> eoi
>
>where SQL_ID & SQL_PW are not part of the environment (i.e. they
>are local to the script executing the sqlplus command).
>
>I'm not sure of any security problems with using standard input,
>but I'm sure there are some...
>

How safe is this: have the Pro*C application simply send "/" and use OS authentication on the person running the program. That way, at least the passwords aren't around for all to see. I'm sure there's some other problem, but at least then it's at least as secure as the OS under it (hehehehe...). Any experienced Oracle-dudes out there know the relative merits of this idea?

Later,
  Alex Received on Thu Jan 13 1994 - 23:05:54 CET

Original text of this message