Passwords on the command line visible to ps? Not in Linux

Thanks to some feedback from Iggy Fernandez, editor of the NoCOUG Journal , I discovered that I was slightly off on a point in my white paper “Thirteen Ways To Make Your Oracle Database More Secure“. In that paper, I wrote about the danger of passwords on the command line being visible by someone else by listing the running processes.

“For example, if you run a SQL script at the command line like this:
sqlplus system/oracle@orcl @scriptname.sql
The entire command will be visible to anyone that happens to be logged onto the server when the script is run. In Windows, “tasklist –v” will display the username/password and on Unix, the “ps” command will do the same. On the other hand, if you run the SQL script like this:
sqlplus /nolog @scriptname.sql
and have connect system/oracle@orcl in the SQL script itself, then the username and password will not be visible. “

While this is technically true, I failed to distinguish between Linux and Unix. After further testing, it appears that linux does not actually have this problem at all. I found that Linux doesn’t display the sqlplus username or password in Oracle 9, 10 and 11. I also tested Oracle 10 and 11 on Solaris as well as Oracle 10 on Windows and they DO display the username/password. According to Oracle Support document 557534.1, this behavior “is not related to sqlplus. It is how the shell interprets the command and provides the details about the process”. So perhaps some flavors of Unix have fixed this issue as well.   There are other executables (expdp, exp, sqlldr, etc) that can take passwords at the command line so they may or may not be vulnerable as well.

LEAVE A REPLY

Please enter your comment!
Please enter your name here