Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Hiding passwords

RE: Hiding passwords

From: Mercadante, Thomas F <NDATFM_at_labor.state.ny.us>
Date: Wed, 24 Sep 2003 04:54:39 -0800
Message-ID: <F001.005D0EC9.20030924045439@fatcity.com>


Jared,  

You said:  

"One of the problems with Windohs is that you cannot execute a script
or program so that it can return a value to a local environment variable."  

This is true. But to accomplish the same functionality, you can dynamically create a temporary .bat file that creates the environmental and then execute that bat file.  

Unfortunately on Windows, anything that you do can be repeated by someone else who logs onto the system. I guess you could secure a folder that only the Oracle account could see, and have these scripts placed in those folders so that the other users cannot get into them without rebooting the machine and bringing it up in DOS mode. That (I think) would prevent snooping. Not sure though.  

Tom Mercadante
Oracle Certified Professional

-----Original Message-----
Sent: Tuesday, September 23, 2003 6:00 PM To: Multiple recipients of list ORACLE-L

Paul,

Any chance these scripts could be run from Cygwin, Uwin, MKS Toolkit, or anything that will let you use a korn shell?

That would simplify things tremendously.

One of the problems with Windohs is that you cannot execute a script or program so that it can return a value to a local environment variable.

That ability would make this task simple from command.com.

Another possibility is to put your passwords in the registry, restrict that portion of the registry, ( or the whole thing ), and use a Perl script to retrieve
the passwords and kick off the other jobs.

What I do in linux is use a password server ( as seen in "Perl for Oracle DBA's")
and retrieve the password across the network, encrypted of course.

This works on windows as well, though you're there restricted to doing this strictly from within the Perl script.

Jared

        PSherman_at_Bacou-Dalloz.com
Sent by: ml-errors_at_fatcity.com

 09/23/2003 01:49 PM
 Please respond to ORACLE-L

        
        To:        Multiple recipients of list ORACLE-L
<ORACLE-L_at_fatcity.com> 
        cc:         
        Subject:        RE: Hiding passwords




Tom,

As Dave Barry would say, Har!

Unfortunately, we are talking about 3rd-party people who have the 'right' to log in for support (debugging their ^%(^#@ products, and installing updates). I've got them under local admin accounts (as opposed to domain accounts), so they can only get to their own servers. BUT... that's as far as I can go to secure things except at the folder level (and Oracle loves it (!) when you try and do folder security on the datafiles, controlfiles, etc.). I appreciate the thought, but you did not go far enough... Kill them all, and save on security hardware. Any workable ideas?

Desperately yours,

Paul R. Sherman
DBA/Sr. Appl. Analyst
Bacou-Dalloz
office - 401-232-1200 x200
cell - 401-935-2802

        "Mercadante, Thomas F" <NDATFM_at_labor.state.ny.us> Sent by: ml-errors_at_fatcity.com

09/23/2003 04:24 PM
Please respond to ORACLE-L

        
       To:        Multiple recipients of list ORACLE-L
<ORACLE-L_at_fatcity.com> 
       cc:         
       Subject:        RE: Hiding passwords




Paul,  

It's simple really. Do not allow them to log-on to the Win2k server - don't give them an account; keep the passwords secret; and keep the machine in a locked room.  

Tom Mercadante
Oracle Certified Professional
-----Original Message-----
Sent: Tuesday, September 23, 2003 4:15 PM To: Multiple recipients of list ORACLE-L

Hello,

If you do that in Win2k, then you have more env variables for 'authorized' people to see when they do a SET <cr>.

Now, to be frank, I have an ulterior (a 'maxed-out' interior or exterior) motive in this reply. I have yet to see an intelligent (never mind elegant) of protecting system variables from someone's view when they do a SET in a DOS session. You can keep them out of Control Panel/System/Advanced/Environmental Variables, but you can't keep them out of DOS, so whaddya do? That's what I want to know. Has anyone confronted this issue and won?

Thank you,

Paul R. Sherman
DBA/Sr. Appl. Analyst
Bacou-Dalloz
office - 401-232-1200 x200
cell - 401-935-2802

        "M.Godlewski" <mcgodlewski_at_yahoo.com>
Sent by: ml-errors_at_fatcity.com

09/23/2003 02:15 PM
Please respond to ORACLE-L

        
      To:        Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>

      cc:         
      Subject:        Re: Hiding passwords





You could set up environment variables and then reference the environment variable in your script.

HTH
M.

Prasada.Gunda_at_hartfordlife.com wrote:

There is a good discussion in asktom website on this topic.

Here is the link :

http://asktom.oracle.com/pls/ask/f?p=4950:8:::::F4950_P8_DISPLAYID:142212348 066

Hth.
Best Regards,
Prasad

"O'Neill, Sean"

non.ie> cc:
Sent by: Subject: Hiding passwords
ml-errors_at_fatcity
.com

09/23/2003 10:24
AM
Please respond to
ORACLE-L So the story goes like this. We're a NT/W2K shop. We have various scripts that run DB related jobs but these are in plain text and we'd like to
"hide"

these passwords in some way to allow scripts to run but the passwords not be
"visible" to potential prying eyes. Has anyone cracked this one yet. I've
had a trawl around MetaLink but found nothing of substance.



Seán O' Neill
Organon (Ireland) Ltd.
[subscribed: digest mode]
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: O'Neill, Sean
INET: Sean.ONeill_at_organon.ie 

Fat City Network Services -- 858-538-5051 http://www.fatcity.com
San Diego, California -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).





-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: 
INET: Prasada.Gunda_at_hartfordlife.com

Fat City Network Services -- 858-538-5051 http://www.fatcity.com
San Diego, California -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVEE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing). 



  _____  

Do you Yahoo!?
 <http://us.rd.yahoo.com/evt=10469/*http://sitebuilder.yahoo.com> Yahoo!
SiteBuilder - Free, easy-to-use web site design software 





-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Mercadante, Thomas F
  INET: NDATFM_at_labor.state.ny.us

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Wed Sep 24 2003 - 07:54:39 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US