Hi
Most of the shell scripts I am dealing with have to connect to oracle database . The username password is stored in a environment file which sets the variables for username and password . Set user id do not work on AIX so users who will execute these scripts need to have read or execute permissions on these files . This makes these password available to a large group of people. What should be the solution to hide these passwords or these files from others users .
Regards
Cliffors
FWIW, storing the password in an environment variable makes the information available to all users with access to a bsd ps on the box.
Are you able to use sudo? You could store the passwords in a central set of files, readable only by specific groups.
Create specific system users and allocate them to the appropriate groups.
You can then allow certain users to run your various scripts as the specific system users. Your script then goes and looks up the file in question for the DB and uses the password contained within.
This also gives you the ability to create a script for retrieving passwords inline for users with the appropriate rights (say admins only?) to use in _any_ script they want.
eg:
some_oracle_supplied_command -user `sudo -u orapass /usr/local/bin/get_the_username MY_DB` -pass ``sudo -u orapass /usr/local/bin/get_the_password MY_DB`
Thanks for the reply . It seems that we do not have sudo .lslpp -L sudo does not show me any thing. The password files are read only by group and it has only one member who can execute the scripts. For ps issue we are changing the scripts so that passwords are piped to sqlplus while logging in .
Is sudo a special install . We have AIX 5.2
Regards
sudo is a third party tool, pretty widely used though so you shouldn't have too much trouble finding help on it if you need it.
Thanks . I will look for it.
Storing a password is a security problem. You may want to investigate Oracle OS authentication.