Re: Oracle Security
Date: 31 Jan 1995 23:37:24 -0800
Message-ID: <3gndnk$bjm_at_garlic.com>
David Scott (dscott_at_is.net) wrote:
: In article <ks.146.04F279C4_at_ic.uva.nl>, ks_at_ic.uva.nl (Karel Sprenger) wrote:
: > In article <3fk3ti$7m4_at_redstone.interpath.net>
hcurtis_at_hcurtis.pdial.interpath.net writes:
: >
: > >Is anyone aware of a mechanism to disable "fastpathing" when entering
: > >an Oracle product (e.g. SQLPLUS). I'd like to force use of the
: > >prompting mechanism within Oracle. For example:
: > > Typing : SQLPLUS userid/password
: > > to enter the product works fine. The problem is, anyone executing
: > > a ps -ef now has the userid and password of a valid oracle account.
: > >Needless to say, this causing some excitment among our security folks.
: >
: > Except for switching to OPS$ usernames, the only mechanism would be to
: > "program" the users to stop entering their oracle username/password on the
: > command line. To help them, you might consider writing stubs for the oracle
: > tools that warn against this unsafe practice when used and otherwise start up
: > the actual tool.
Hmm...why won't ops$ work for you? That is Oracle's solution, and pretty portable across operating systems...clearly documented (dba ref.man.?)
The stub idea should work, maybe with the help of your local shell/C prgmr. Seems to me that a shell script that refuses to run when there are parameters on the command line would be pretty useful in your case. The ps -ef would be futile if the process ended quickly enough. And I wonder if some unix wizard couldn't actually strip them from the command line somehow.
Interesting question, though. It would be more interesting (may I suggest?) if some further detail could be nailed down, such as your system config., complete with o/s, version, shell, etc. I'm not sure you should provide that to the public domain, however.
Oh, just thought of another approach. If you don't like ops$, code your own: insert some records from your favorite menu/form/shell and retrieve the parameters you need from a table. Access only from routine that looks up the login and provides that user access. Basically duplicates the ops$ function, but as you like it.
I guess I like the ops$ the best...eminently supportable and easier for the users too. The stub would be a close second; replace sqlplus with sqp or something nice and short.
Sorry to be so long-winded. Good luck, sir. Received on Wed Feb 01 1995 - 08:37:24 CET