I'm calling a program with a command line arguement containing a password. while the process is running anyone on the system can ps -ef and see the password. Is there a way to prevent this from happening.
example
PROGRAM USERNAME/PASSWD
I've also tried
PROGRAM `cat passfile`
with passfile containing USERNAME/PASSWD
but it still appears
Anyway around this?
The program I'm calling is CONCSUB if anyone is familiar with Oracle Apps. And unfortunately it doesn't seem to have an interactive mode but only accept command line arguements.
Well it's a work/work rather than homework question so I hope that's acceptable.
Here's the background( not at work today so I don't know some stuff off top of my head).
HPUX (10.3 I think)
The commands is in either ksh or sh script.
The program is CONCSUB it basically submits a program name to oracle's concurrent manager which then executes it.
so the line in the ksh script looks like this
CONCSUB $USERPASS $ORCLPROG
where $USERPASS is username/password for the database(also tried it being `cat .userpass` with same results(.userpass file contained username/password))
and $ORCLPROG is the name of the program to be executed.
The purpose is to avoid having anyone else on the machine being able to see this username and password by simply executing the ps -ef command.
Will this aplication prompt you for a password if you don't supply one on the command line (like sqlplus)?
In that case, you might be able to use a shell script:
#!/bin/sh
/path/to/CONCSUB <<EoF
USERNAME/PASSWORD@DB
command
another command
EoF
This may or may not work though. Either way, though, make sure you lock down permissions on the file so one one but you can read it. The commands passwords will be left in pleain text in the script and also in the compiled C program.
HP-UX stores the command line in a buffer and makes it available to all users via the pstat() system call. So disabling ps is not enough.
That buffer, like all buffers, is finite. So
ln -s /path/to/CONCSUB longname
./longname USERNAME/PASSWORD
should work. Of course, "longname" isn't long enough. You will need a 64 character name.
As to storing the password in a file, her is an alternative:
Thanks for all the suggestions.
I think the longname solution will be easy and probably work well.
But since I've been investigating, I found another suggestion on an oracle support board. I can't get it to work though, and dont really understand it. Just kinda curious at this point, so perhaps someone can explain what they are trying to do.
It's not presented very well, but does this give anyone any ideas?
I have no clue what the exec < passwd.dat is trying to accomplish, but it looks interesting anyway.