Sunday, August 24, 2008

Do not invoke SQL*Plus with a password On UNIX and Linux platforms.

Most of us sometimes start SQL * Plus with a password on UNIX and Linux platforms without knowing security threat.

For example, an application user connects SQL * Plus by passing username and password on Unix/Linux Server.

$ sqlplus apps/apps@proddb

Here the sqlplus command parameters are very much available for viewing by all operating system users on the same host computer; as a result, password entered on the command line could be exposed to other users, as below.

$ ps -efgrep sqlplus
oracle 14490 2190 0 16:31:53 pts/5 0:00 sqlplus apps/apps@proddb
oracle 14493 14491 0 16:32:01 pts/5 0:00 grep sqlplus

So, there might be a chance for an intruder to know the user id and password, and can connect to the database using that credentials.

Then, following is the secure and best way of connecting SQL * Plus where the password is not exposed on the command line.

$ sqlplus apps@proddb
Enter password: ****

Or, even not to expose the username and connecting string.

$ sqlplus
Enter user-name: apps@proddb
Enter password: ****

Or

$ sqlplus /nolog
SQL> connect apps@proddb
Enter password: ****

And also, do not use the password while invoking Export/Import Utility using exp/imp command line, and for any other command line utilities which you think the password will be exposed to others.

On Microsoft Windows, the command recall feature (the Up arrow) remembers user input across command invocations.

For example, if you use the CONNECT APPS/password notation in SQL*Plus, exit, and then press the Up arrow to repeat the CONNECT command, the command recall feature discloses the connect string and shows the password. So, it is advice *NOT* to pass the password while connecting to SQL * Plus on windows as well.

Your comments are welcomed.

Regards,
Sabdar Syed.

http://sabdarsyed.blogspot.com/

3 comments:

Fuad Arshad said...

Safdar while was true in 9 in 10 oracle has made the executables code more secure so
a sqlplus a/a will some something like
ps -ef |grep sqlplus
oracle 1028148 278864 0 13:55:14 pts/27 0:00 grep sqlplus
oracle 1818702 557348 0 13:54:54 pts/26 0:00 sqlplus

This has helped us securing a lot of legacy applications

Sabdar Syed said...

Good to know.

Regards,
Sabdar Syed.

Laurent Schneider said...

Fuad, Sabdar, be aware that this depends on the os. Some made it safe in late 9i, some in 10gR1, and probably some are still insecure in 11g.

I just had to remove it from sql loader with

echo user/pass|sqlldr control=x.ctl