Skip to Main Content

Breadcrumb

May 4th

Question and Answer

Connor McDonald

Thanks for the question, Anvesh.

Asked: February 26, 2016 - 1:04 pm UTC

Last updated: August 04, 2020 - 7:20 am UTC

Version: 12.1.2

Viewed 1000+ times

You Asked

Hi Tom,

we have a risk of exposing our APPS schema password for host based concurrent programs in Oracle Apps.
The ps -ef command exposes the password unless encrypted.
We have gone back and added the ENCRYPT option for the Options Field for the Concurrent Program definitions.
We have also used $FCP_LOGIN instead of $1 while invoking SQL*Plus or SQL*Loader.
As part of these changes, we had a test case where we were trying to observe the this sub process, either SQL*Plus or SQL Loader itself in the ps -ef command.
We have observed that SQL*Plus does not display the password in the ps -ef command.
However, SQL Loader does display the password.
Hence, Can you please let us know the way to fix this or any workarounds for this.

Thanks in Advance

and Connor said...

Either

a) use a wallet, see https://connormcdonald.wordpress.com/2015/09/21/connection-shortcuts-with-a-wallet/

b) echo the password, eg

echo my_password | sqlldr userid=abc@db ....

and it will not show in ps

Rating

  (2 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Anvesh Soma, February 29, 2016 - 4:26 am UTC


Referring an old post on the same topic

Bibin, August 01, 2020 - 9:56 pm UTC

Hi Connor,
As per the post below, the second solution of echo and pipe would still expose the password to the ps command.. Or, am I missing anything..?

https://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:4022798563420


Connor McDonald
August 04, 2020 - 7:20 am UTC

A lot depends on version and platform....for example

[oracle@db20 ~]$ sqlplus scott/tiger@db20pdb1

SQL*Plus: Release 20.0.0.0.0 - Production on Tue Aug 4 15:16:43 2020
Version 20.3.0.0.0

Copyright (c) 1982, 2020, Oracle.  All rights reserved.


Connected to:
Oracle Database 20c EE High Perf Release 20.0.0.0.0 - Production
Version 20.3.0.0.0

SQL> 

[oracle@db20 ~]$ ps -ef | grep sqlplus
oracle    3628  3128  1 15:16 pts/1    00:00:00 sqlplus                     
oracle    3640  3059  0 15:16 pts/0    00:00:00 grep --color=auto sqlplus
[oracle@db20 ~]$ ps auxw | grep sqlplus
oracle    3628  0.4  0.4 116572 24116 pts/1    Sl+  15:16   0:00 sqlplus                     
oracle    3680  0.0  0.0 112660  2204 pts/0    S+   15:17   0:00 grep --color=auto sqlplus



but of course, all of that is really just covering off the basics, ie, stopping someone from idly seeing it in ps. Its going to be saved in your history, and some process attaching will probably see it as well. Its a convenience not a cast iron lock. If you want to do it properly, you use a wallet.