I received an email tonight from a colleague who helped out on the SANS Oracle security step by step book when it was first written. He asked me if I knew how to hide the password used to connect to the database with SQL*Loader. He regularly audits the Unix servers under his control for password leakage on the command line by suing simple ps -ef | grep commands. This sometimes picks up users using SQL*Plus and connecting as follows:
sqlplus system/manager@orcl
The command line then shows up in a process listing using the ps command. He informs the culprit and advises them of the dangers of this and tells them to rectify the issue by using:
sqlplus /nolog
and then supplying the username/password@sid in the SQL script being used. It had come to his attention that users of the sqlldr binary were also leaking the password by supplying it on the command line. He was stumped as to how to fix this. I supplied the answer which I thought I would share tonight with others so that they can also stop this issue.
The simple answer is to use a parfile. This is a file that contains the SQL*Loader commands and could look like this:
$ cat parfile.par
userid=system/manager@orcl
control=control.ctl
errors=9999
log=logfile.log
This is then invoked as follows:
$ sqlldr parfile=parfile.par
This will prevent the leakage of the password into the process list but will present a new problem. The password is then stored in a script. This is a perennial issue. The answer is really down to levels of risk. The parfile can be protected at the file system level to prevent it being read. Ideally do not make it accessible to the owner of the oracle software or the dba group as this will prevent access from many of the functions such as UTL_FILE that allow operating system files to be read or written from within the database. Also the file could be generated or hand written just before use and then destroyed immediately after use. There are many other ideas that could be explored, as I said it really comes down to levels of risk. The particular issue here was how to prevent the process list leakage. Unfortunately this sort of problem often creates a new one.
Finally although not discussed with my colleague the same issues apply with other Oracle tools such as exp and imp and can be solved in the same way.
Blog
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
[Previous entry: "Oracle 9i union flaw"] [Next entry: "which special characters can be used in Oracle database passwords"]
October 2004
- find_all_privs.sql : A script to find all privileges allocated to a user or role - 10/02/2004 by 10/02/2004
- PeteFinnigan.com Tools page updated - 10/03/2004 by 10/03/2004
- who_has_role.sql : A script to find which users and roles have been granted a role - 10/05/2004 by 10/05/2004
- Howard Rogers writes about Virtual Private databases - 10/06/2004 by 10/06/2004
- Tools page has been updated again - 10/07/2004 by 10/07/2004
- who_has_priv.sql : script to find user who have been granted a system privilege - 10/09/2004 by 10/09/2004
- Oracle remids all customers to apply Patches for alert #68 - 10/10/2004 by 10/10/2004
- preventing password leakage with SQL*Loader - 10/11/2004 by 10/11/2004
- which special characters can be used in Oracle database passwords - 10/12/2004 by 10/12/2004
- expired passwords, ORA-01045 and password changes - 10/13/2004 by 10/13/2004
- SQL Injection papers - 10/14/2004 by 10/14/2004
- where is the next monthly patch? - 10/15/2004 by 10/15/2004
- computerworld have also picked up the patch quickly story - 10/16/2004 by 10/16/2004
- Listener security guide - 10/17/2004 by 10/17/2004
- A tuning book and security? - 10/18/2004 by 10/18/2004
- An interesting SQL Injection paper - 10/19/2004 by 10/19/2004
- Internetnews article : "Customers Gripe About Oracle's Patch Plan" - 10/20/2004 by 10/20/2004
- Auditing DBA's? - 10/21/2004 by 10/21/2004
- You can search inside the SANS Oracle security step-by-step guide - 10/22/2004 by 10/22/2004
- Is setting trace a security risk? - part 1 - 10/23/2004 by 10/23/2004
- technewsworld.com says "Oracle's Security Luck Runs Out" - 10/24/2004 by 10/24/2004
- Another issue with alert 68 on AIX 32 bit - 10/25/2004 by 10/25/2004
- Writing to the alert log - 10/26/2004 by 10/26/2004
- more info on DBMS_SYSTEM.KSDWRT - 10/27/2004 by 10/27/2004
- massive data theft from a database in California - 10/28/2004 by 10/28/2004
- Can I connect to the database as the user PUBLIC? - 10/29/2004 by 10/29/2004
- Interesting question about Sarbanes-Oxley on Oracle 7.3.3 - 10/30/2004 by 10/30/2004
- Howard Rogers new paper on secure application roles - 10/31/2004 by 10/31/2004
Archives
Syndication
Powered by gm-rss 2.0.0
