Oracle DBA – A lifelong learning experience

SQLplus command line password no longer shown on screen

Posted by John Hallas on July 6, 2016

I was showing some basic sqlplus connection tips to a new DBA starter today and my normal warning about putting the password on the line when calling sqlplus didn’t produce what I expected.

For ever and a day if you have entered a line within a server session such as when using putty or similar to this :-

sqlplus john/N0tverysafe 

and then ‘host’ to the unix shell and run a ps -ef|grep sqlplus you will see the password and so will anybody else who looks

Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production

With the Partitioning, Automatic Storage Management and OLAP options

 


SQL> host

$ps -ef|grep sqlplus
oracle   21519 21165  0  Jun 27  ?        00:00:00 sqlplus -s /nolog
oracle   19165 18798  0  Jun 25  ?        00:00:00 sqlplus -s /nolog
oracle  8516  8514  0 18:33:42 pts/0    00:00:00 grep sqlplus
oracle   24027 23642  0  Jul  2  ?        00:00:00 sqlplus -s /nolog
oracle  8511  7910  0 18:33:28 pts/0    00:00:00 sqlplus john/N0tVERYsafe
I performed more experimentation and realised it was still unsecure at 11.2.0.3 however at 11.2.0.4 it had become secure
create user john identified by "N0tVERYsafe"  profile m_std_profile;
grant create session to john;
[sysopr65@teora01x][TST11204]/home/sysopr65 $sqlplus john/N0tVERYsafe

SQL*Plus: Release 11.2.0.4.0 Production on Wed Jul 6 19:03:53 2016

Copyright (c) 1982, 2013, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, Automatic Storage Management and OLAP options

SQL> host
[TST11204]/home/sysopr65 $ps -ef|grep john
sysopr65 28309 28306  0 19:04 pts/0    00:00:00 grep john
[TST11204]/home/sysopr65 $ps -ef|grep sqlplus
sysopr65 28256 22815  0 19:03 pts/0    00:00:00 sqlplus
[TST11204]/home/sysopr65 $exit

I will still try to instill good practise by ensuring people do not put username/password as a command string but the loophole does appear to  be fixed now.

I must check whether SQL Loader has had the security modification as well,  as the issue used to be seen when calling a controlfile embedded with a username and password. Although I must admit I tend to run controlfiles interactively from the unix account without a userid in and just use / as sysdba  when asked for a password.  That probably isn’t best practise but do as I say not as I do.

I have just finished typing this up and I do feel that I have written something like this up before. It might be worth me checking my own blog history.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: