Pete Finnigan's Oracle Security Forum (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
Oracle General >> General Oracle questions >> Hiding password from ps -ef
(Message started by: Pete Finnigan on May 28th, 2009, 3:49pm)

Title: Hiding password from ps -ef
Post by Pete Finnigan on May 28th, 2009, 3:49pm
Hi all,

This question has been asked several times in several forums but I have yet to find the answer to the question. Hopefully it will get answered here or if it has been posted and answered already before, please advise where is it, i.e. the answer.

When running sqlplus via UNIX scripts, I have to include the username and password when accessing a remote database, this however appears when someone run the ps command, what is the best way to hide this from the ps command or any other snooping eyes. I do not have issues when the database is local because I can do sqlplus "/as sysdba".

I have the same issue with EXPDP/IMPDP, the password is exposed, Oracle suggested to use PAR file which I did, unfortunately, someone can simply have a look at that PAR file and get the password from there.

Any feedback will be very much appreciated.


Title: Re: Hiding password from ps -ef
Post by Pete Finnigan on May 28th, 2009, 7:54pm
Hi,

There are lots of solutions to this issue. The obvious one is that if the code you run from sqlplus remotely can be run in the database as a database job then that will fix the issue, alternately you could run the job locally as a cron job or to be called remotely via dbms_scheduler (there are bigger security issues with using this though). Dont run jobs with sys / as sysdba though, its not suitable with a "least privilege principal" approach. Next you could use the Oracle hide.c code to remove the password from ps listings (not ideal approach). You could use Oracle wallets remotely or locally (ideally locally) with mkstore etc. This allows you to associate Oracle usernames/passwords with a Unix user and the username/ password is stored in a wallet that is auto-open for the "right" user (owner) and password protected for others. This allows a "/" slash logon without the password. You can also use the free software OPR from opr.sourceforge.net - check search in my blog for some detailed installations.

Always try and remove the need for remote logon jobs, if not move them locally, if not move them into the database, if not control from withoin the database, finally use external authenicated users (locally) or the wallet or OPR but ALWAYS use the least privilege principal.


cheers

Pete

Title: Re: Hiding password from ps -ef
Post by Pete Finnigan on Jun 19th, 2009, 8:52am
Thanks for your advise.




Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board