Oracle Consulting Oracle Training Oracle Support Development
Home
Catalog
Oracle Books
SQL Server Books
IT Books
Job Interview Books
eBooks
Rampant Horse Books
911 Series
Pedagogue Books

Oracle Software
image
Write for Rampant
Publish with Rampant
Rampant News
Rampant Authors
Rampant Staff
 Phone
 800-766-1884
Oracle News
Oracle Forum
Oracle Tips
Articles by our Authors
Press Releases
SQL Server Books
image
image

Oracle 11g Books

Oracle tuning

Oracle training

Oracle support

Remote Oracle

STATSPACK Viewer

Privacy Policy

 

   
 

Oracle Tips by Burleson

 

Hiding the SQL*Plus Password

When a user enters into sqlplus, the most likely way is issuing

sqlplus scott/tiger

Assuming, of course, that the user is SCOTT and the password is TIGER. However, if on another terminal, a user enters the following command

ps –aef|grep sqlplus

He will see this

sqlplus scott/tiger

The password of SCOTT is revealed. Clearly, this is a security hole. The users must be instructed never to use the password directly on the command line.

Either the following command should be used

sqlplus SCOTT

Oracle should prompt for a password which would then be entered,

Or

sqlplus /nolog
SQL> connect SCOTT/TIGER

Some other ways to connect from a program include

sqlplus /nolog << EOF
connect SCOTT/TIGER
… your sql statements go here
EOF

Similar warnings exist for other Oracle utilities such as export, import, SQL loader, and RMAN. Some programs written in Pro*C or Java may need the parameter to be passed in the command line. These also

Never expose the password, and access should be strictly prohibited. The programs or utilities will prompt for passwords if not supplied, and the password may be fed from a file via redirection (using the "<" character).

Sometimes we have found it useful to store the password in some secured file owned by the software owner, and readable only by the owner. Although it is not absolutely secure by any means, it's nevertheless a deterrent to theft.

Sometimes DBAs, the very people in charge of security, also make mistakes that expose the password. A common example is using the TKPROF tool. The DBA might give a command like this

tkprof tracefile.trc tkout.out explain=sys/changed

Note the use of the sys password for the explain clause. Although the explain clause needs a password, it can be given later during the prompt. In any case, unless the sys owned objects are explained, the user sys should never be used to explain the plan. Rather the application user should be used to explain the plan.


 


Download your Oracle scripts now:

www.oracle-script.com

The definitive Oracle Script collection for every Oracle professional DBA

 

Linux Oracle commands syntax poster

ION Oracle tuning software

Oracle data dictionary reference poster



Oracle Forum

BC Oracle consulting support training

BC remote Oracle DBA   

 

   

 Copyright © 1996 -2016 by Burleson. All rights reserved.


Oracle® is the registered trademark of Oracle Corporation. SQL Server® is the registered trademark of Microsoft Corporation. 
Many of the designations used by computer vendors to distinguish their products are claimed as Trademarks