Tony’s Oracle Tips

October 15, 2008

Hiding sqlplus passwords from “ps” output

Filed under: Uncategorized — tonyhasler @ 10:17 am

It is a common concern that passwords entered on the sqlplus command line appear in “ps” output on UNIX systems. If you execute sqlplus from a Korn shell script you can usually avoid passing the password on the command line as follows:

sqlplus /nolog << EOF
connect username/password@orcl
exec dbms_lock.sleep(20) ;

If you modify this script to provide a valid connection string and then execute it from one terminal and do a “ps” on another you will not see the password.

However, suppose your script is setup to start an interactive session for a user providing the password for the user?

An unsecured version of the script might look like this:

sqlplus username/password@orcl

This script logs a user onto sqlplus (so the user doesn’t need to know the password) but exposes the password to “ps”‘.

One simple solution is as follows:

(echo connect username/password@orcl ; cat - ) | sqlplus /nolog

This technique gives the user her sqlplus prompt but the password appears in the “ps” output only for a moment during the echo command.

Even more secure is:

(cat - << EOF ; cat - ) | sqlplus /nolog
connect username/password@orcl

This hides the password completely.


Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at

%d bloggers like this: