Re: Hiding tkprof password from ps -ef

John,

Search on Metalink for 'hide'. It's a simple c routine that buffers out ps output such that you can't see username/passwords when scraping the process list. Method of install is to take any password oriented binary
(exp, sqlldr, tkprof, sqlplus, imp ...) and rename it exp.hide,
tkprof.hide ... You then create a soft link between hide and the now nonexistent binary. When you execute tkprof, hide kicks in and masks any parameters such that ps output shows only tkprof (and not tkprof system/manager ...). The Metalink document describes this in detail (so I remember).

I use it as a standard part of all Oracle version installs. It's not the be all end all, however. I've heard (but not seen) that some bsd ps versions (which I do not know) have parameters to circumvent such buffering. That said, having hide in place is a good step in the right direction. You might be careful, but someone else might get lazy and throw passwords at sqlplus ready for compromise. Hide will give you protection in this case.

I believe some previous recommendations involved storing passwords in scripts. Although functional this method simply presents another security risk. Unless you have strict directory or file perms on such scripts, they too could be compromised. :-(

HTH, Casey

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Casey Dyke
  INET: cdyke_at_froggy.com.au

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L


(or the name of mailing list you want to be removed from).  You may

also send the HELP command for other information (like subscribing).