Tony’s Oracle Tips

October 15, 2008

Hiding sqlplus passwords from “ps” output

Filed under: Uncategorized — tonyhasler @ 10:17 am

It is a common concern that passwords entered on the sqlplus command line appear in “ps” output on UNIX systems. If you execute sqlplus from a Korn shell script you can usually avoid passing the password on the command line as follows:


#!/bin/ksh
sqlplus /nolog << EOF
connect username/password@orcl
exec dbms_lock.sleep(20) ;
EOF

If you modify this script to provide a valid connection string and then execute it from one terminal and do a “ps” on another you will not see the password.

However, suppose your script is setup to start an interactive session for a user providing the password for the user?

An unsecured version of the script might look like this:


#!/bin/ksh
sqlplus username/password@orcl

This script logs a user onto sqlplus (so the user doesn’t need to know the password) but exposes the password to “ps”‘.

One simple solution is as follows:


#!/bin/ksh
(echo connect username/password@orcl ; cat - ) | sqlplus /nolog

This technique gives the user her sqlplus prompt but the password appears in the “ps” output only for a moment during the echo command.

Even more secure is:


#!/bin/ksh
(cat - << EOF ; cat - ) | sqlplus /nolog
connect username/password@orcl
EOF

This hides the password completely.

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: