RE: SQL scripts and passwords

RE: SQL scripts and passwords

 

  

We have an inhouse developed unix utility - we call it password manager. It encrypts/stores/decrypts passwords. The access is controlled at unix group levels. Shell scripts fetch password from this utility into shell variables and establish sqlplus connection as below:

sqlplus /nolog << EOF
connect $USERNAME/$PASSWORD

Anand Prakash



-----Original Message-----
From: JEFFERY
[mailto:oracledba-ezmlmshield-x39390255.[Email address protected]
Sent: Wednesday, March 29, 2006 5:27 AM
To: LazyDBA Discussion
Subject: RE: SQL scripts and passwords


There are other problems with your set up as well.
Try this
(1) sqlplus -s userid/password
(2)Assuming you have a SOLARIS/unix OS, type the following at the OS command
prompt
"ps -ef | grep "sqlplus -s"
What you will see is the output contains the userid and the password. BAD !!
BAD !!

Off the top of my head I can think of some possible options:
(1) Create some OPS$ users and connect via the 'slash' login. This of
course requires you restrict access to these users on t he OS side, and/or
(2) See if you can place these 'taskes' in entirely in the DB. In other
words, make a JOB for them that ORACLE knows about and will run for you via
DBA_JOBS. If you have ORACLE 10, "schedule" them to run as a task/job.

I have not given details, just some suggestions, but these are things we do
here to "get around" the same issue.

How have you other guys addressed this.

Jeff


-----Original Message-----
From: oracledba-return-125877-JEFFERY.L.SCHRENK=saic.[Email address protected]
[mailto:oracledba-return-125877-JEFFERY.L.SCHRENK=saic.[Email address protected]
n Behalf Of Brett N Exton
Sent: Wednesday, March 29, 2006 6:01 AM
To: LazyDBA Discussion
Subject: SQL scripts and passwords


Hi !

I have lots of batch files (windows) which call SQL scripts that have the
userid/password hard coded into the script

e.g. sqlplus -s userid/password

The passwords have to be in the scripts because these scripts are timed to
run
at various times of the day/night.

Consequently, if the permissions on a script was left open and a user got to
view the script then...who knows!

I am mulling some different ideas around as to how best to secure these
scripts
but would welcome some ideas.

Thanks!
--
Brett Exton



________________________________________________________________________
This e-mail and any attachments transmitted with it represents the
views of the individual(s) who sent them and should not be regarded
as the official view of Bridgend County Borough Council. The contents
are confidential and intended solely for the use of the addressee. If
you have received it in error, please inform the system administrator
on (+44) 01656 642111.

This e-mail and any attachments have been scanned with 'MessageLabs SkyScan'
- http://www.messagelabs.com/

________________________________________________________________________
Maer'r e-bost hwn ac unrhyw atodiadau a drosglwddir gydag ef yn cynrychioli
safbwyntiau'r unigolyn (unigolion) a'u hanfonodd ac ni ddylid eu hystyried
fel
safbwynt swyddogol Cyngor Bwrdeistref Sirol Pen-y-bont ar Ogwr. Mae'r
cynnwy
syn gyfrinachol ac wedi'i fwriadu at ddefnydd y person y'i cyfeiriwyd ato yn
unig. Os ydych wedi ei dderbyn mewn camgymeriad, rhowch wybod i weinyddwry
system ar (+44) 01656 642111.

Mae'r e-bost hwn ac unrhyw atodiadau wedi cael eu sganio gyda 'MessageLabs
SkyScan' - http://www.messagelabs.com/
________________________________________________________________________


--------
website: http://www.LazyDBA.com
Please don't reply to RTFM questions
Oracle documentation is here: http://tahiti.oracle.com
To unsubscribe: see http://www.lazydba.com/unsubscribe.html
To subscribe: see http://www.lazydba.com
By using this list you agree to these
terms:http://www.lazydba.com/legal.html


--------
website: http://www.LazyDBA.com
Please don't reply to RTFM questions
Oracle documentation is here: http://tahiti.oracle.com
To unsubscribe: see http://www.lazydba.com/unsubscribe.html
To subscribe: see http://www.lazydba.com
By using this list you agree to these terms:http://www.lazydba.com/legal.html



"MMS <firsthealth.com>" made the following annotations.
------------------------------------------------------------------------------
This message, including any attachments, is intended solely for the use of the named recipient(s) and may contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution of this communication(s) is expressly prohibited. If you are not the intended recipient, please contact the sender by
reply e-mail and destroy any and all copies of the original message.
==============================================================================


Oracle LazyDBA home page