There's a security threat in starting SQL*Plus with a password on UNIX and Linux platforms in Oracle 9i.
For example, a user connects to SQL*Plus by passing username and password to sqlplus command on UNIX and Linux Platforms like this
$ sqlplus scott/tiger@testdb
In this case the sqlplus command parameters are available for viewing by all operating system users on the same Unix and Linux Machine so the password entered on the command line could be gained to other users using the ps command
$ ps -efgrep sqlplus
oracle 14580 2291 0 14:31:53 pts/5 0:00 scott/tiger@testdb
oracle 14583 14582 0 14:32:01 pts/5 0:00 grep sqlplus
So, there might be a chance for other person to connect to the database using that credentials.
To secure the login to database using connecting SQL*Plus where the password is not exposed on the command line you can use:
$ sqlplus scott@testdb
Enter password: ****
Or, even not to expose the username and connecting string.
$ sqlplus
Enter user-name: scott@testdb
Enter password: ****
Or use the /nolog parameter with sqlplus command
$ sqlplus /nolog
SQL> connect scott@testdb
Enter password: ****
Also, don't use the password while invoking any Oracle Utility like EXPORT,IMPORT,SQLLOADER.... from command line.
Note:
This security issue was solved starting from Oracle 10g database.
No comments:
Post a Comment