Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Mailing Lists -> Oracle-L -> Re: Hiding passwords
In ntfs you can set permissions on a file . But that wouldn't stop a
member of the adminstrator group.
What you need to do is to aditionally encrypt the file or folder as well.
Then no one else can even list the contents of the folder, not even another
administrator. In xp its as easy as right clicking the file/folder ,
select properties , advanced, 'encrypt contents to secure data'. Now every
time you need access just double click the file/folder. Decryption is
allowed only for you and occurs on the fly and transparently. But make sure
you backup your certificates just in case the
system crashes and you have to reinstall. You can then import your
certificates and decrypt this folder.
In Windows2000 you can encrypt a file... Not sure how well that would work though, since if you install your software as local administrator (not good practice) then anyone else who logs in as administrator would be able to see / run the file too...
Patrice.
-----Original Message-----
Sent: Wednesday, September 24, 2003 9:55 AM
To: Multiple recipients of list ORACLE-L
Jared,
You said:
"One of the problems with Windohs is that you cannot execute a script
or program so that it can return a value to a local environment variable."
This is true. But to accomplish the same functionality, you can dynamically create a temporary .bat file that creates the environmental and then execute that bat file.
Unfortunately on Windows, anything that you do can be repeated by someone else who logs onto the system. I guess you could secure a folder that only the Oracle account could see, and have these scripts placed in those folders so that the other users cannot get into them without rebooting the machine and bringing it up in DOS mode. That (I think) would prevent snooping. Not sure though.
Tom Mercadante
Oracle Certified Professional
-----Original Message-----
Sent: Tuesday, September 23, 2003 6:00 PM
To: Multiple recipients of list ORACLE-L
Paul,
Any chance these scripts could be run from Cygwin, Uwin, MKS Toolkit, or anything that will let you use a korn shell?
That would simplify things tremendously.
One of the problems with Windohs is that you cannot execute a script or program so that it can return a value to a local environment variable.
That ability would make this task simple from command.com.
Another possibility is to put your passwords in the registry, restrict that
portion of the registry, ( or the whole thing ), and use a Perl script to
retrieve
the passwords and kick off the other jobs.
What I do in linux is use a password server ( as seen in "Perl for Oracle
DBA's")
and retrieve the password across the network, encrypted of course.
This works on windows as well, though you're there restricted to doing this strictly from within the Perl script.
Jared
PSherman_at_Bacou-Dalloz.com
Sent by: ml-errors_at_fatcity.com
09/23/2003 01:49 PM
Please respond to ORACLE-L
To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
cc: Subject: RE: Hiding passwords
Tom,
As Dave Barry would say, Har!
Unfortunately, we are talking about 3rd-party people who have the 'right' to log in for support (debugging their ^%(^#@ products, and installing updates). I've got them under local admin accounts (as opposed to domain accounts), so they can only get to their own servers. BUT... that's as far as I can go to secure things except at the folder level (and Oracle loves it (!) when you try and do folder security on the datafiles, controlfiles, etc.). I appreciate the thought, but you did not go far enough... Kill them all, and save on security hardware. Any workable ideas?
Desperately yours,
Paul R. Sherman
DBA/Sr. Appl. Analyst
Bacou-Dalloz
office - 401-232-1200 x200
cell - 401-935-2802
"Mercadante, Thomas F" <NDATFM_at_labor.state.ny.us>
Sent by: ml-errors_at_fatcity.com
09/23/2003 04:24 PM
Please respond to ORACLE-L
To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
cc: Subject: RE: Hiding passwords
Paul,
It's simple really. Do not allow them to log-on to the Win2k server - don't give them an account; keep the passwords secret; and keep the machine in a locked room.
Tom Mercadante
Oracle Certified Professional
-----Original Message-----
Sent: Tuesday, September 23, 2003 4:15 PM
To: Multiple recipients of list ORACLE-L
Hello,
If you do that in Win2k, then you have more env variables for 'authorized' people to see when they do a SET <cr>.
Now, to be frank, I have an ulterior (a 'maxed-out' interior or exterior) motive in this reply. I have yet to see an intelligent (never mind elegant) of protecting system variables from someone's view when they do a SET in a DOS session. You can keep them out of Control Panel/System/Advanced/Environmental Variables, but you can't keep them out of DOS, so whaddya do? That's what I want to know. Has anyone confronted this issue and won?
Thank you,
Paul R. Sherman
DBA/Sr. Appl. Analyst
Bacou-Dalloz
office - 401-232-1200 x200
cell - 401-935-2802
"M.Godlewski" <mcgodlewski_at_yahoo.com>
Sent by: ml-errors_at_fatcity.com
09/23/2003 02:15 PM
Please respond to ORACLE-L
To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
cc: Subject: Re: Hiding passwords
You could set up environment variables and then reference the environment variable in your script.
HTH
M.
Prasada.Gunda_at_hartfordlife.com wrote:
There is a good discussion in asktom website on this topic.
Here is the link :
http://asktom.oracle.com/pls/ask/f?p=4950:8:::::F4950_P8_DISPLAYID:142212348 066
Hth.
Best Regards,
Prasad
"O'Neill, Sean"
non.ie> cc:
Sent by: Subject: Hiding passwords
ml-errors_at_fatcity
.com
09/23/2003 10:24
AM
Please respond to
ORACLE-L
So the story goes like this. We're a NT/W2K shop. We have various scripts
that run DB related jobs but these are in plain text and we'd like to
"hide"
these passwords in some way to allow scripts to run but the passwords not
be
"visible" to potential prying eyes. Has anyone cracked this one yet. I've
had a trawl around MetaLink but found nothing of substance.
-- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: O'Neill, Sean INET: Sean.ONeill_at_organon.ie Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: INET: Prasada.Gunda_at_hartfordlife.com Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVEE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). _____ Do you Yahoo!? <http://us.rd.yahoo.com/evt=10469/*http://sitebuilder.yahoo.com> Yahoo! SiteBuilder - Free, easy-to-use web site design software -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: <bulbultyagi_at_now-india.net.in INET: bulbultyagi_at_now-india.net.in Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Wed Sep 24 2003 - 15:54:47 CDT