I was showing some basic sqlplus connection tips to a new DBA starter today and my normal warning about putting the password on the line when calling sqlplus didn’t produce what I expected.
For ever and a day if you have entered a line within a server session such as when using putty or similar to this :-
and then ‘host’ to the unix shell and run a ps -ef|grep sqlplus you will see the password and so will anybody else who looks
Oracle Database 11g Enterprise Edition Release 184.108.40.206.0 - 64bit Production With the Partitioning, Automatic Storage Management and OLAP options SQL> host $ps -ef|grep sqlplus oracle 21519 21165 0 Jun 27 ? 00:00:00 sqlplus -s /nolog oracle 19165 18798 0 Jun 25 ? 00:00:00 sqlplus -s /nolog oracle 8516 8514 0 18:33:42 pts/0 00:00:00 grep sqlplus oracle 24027 23642 0 Jul 2 ? 00:00:00 sqlplus -s /nolog oracle 8511 7910 0 18:33:28 pts/0 00:00:00 sqlplus john/N0tVERYsafe
create user john identified by "N0tVERYsafe" profile m_std_profile; grant create session to john;
[sysopr65@teora01x][TST11204]/home/sysopr65 $sqlplus john/N0tVERYsafe SQL*Plus: Release 220.127.116.11.0 Production on Wed Jul 6 19:03:53 2016 Copyright (c) 1982, 2013, Oracle. All rights reserved. Connected to: Oracle Database 11g Enterprise Edition Release 18.104.22.168.0 - 64bit Production With the Partitioning, Automatic Storage Management and OLAP options SQL> host [TST11204]/home/sysopr65 $ps -ef|grep john sysopr65 28309 28306 0 19:04 pts/0 00:00:00 grep john [TST11204]/home/sysopr65 $ps -ef|grep sqlplus sysopr65 28256 22815 0 19:03 pts/0 00:00:00 sqlplus [TST11204]/home/sysopr65 $exit
I will still try to instill good practise by ensuring people do not put username/password as a command string but the loophole does appear to be fixed now.
I must check whether SQL Loader has had the security modification as well, as the issue used to be seen when calling a controlfile embedded with a username and password. Although I must admit I tend to run controlfiles interactively from the unix account without a userid in and just use / as sysdba when asked for a password. That probably isn’t best practise but do as I say not as I do.
I have just finished typing this up and I do feel that I have written something like this up before. It might be worth me checking my own blog history.