Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!att!cbnews!cbnewsm!marz From: marz@cbnewsm.att.com (martin.zam) Newsgroups: comp.unix.questions Subject: Re: blanking out arguments to daemons Summary: RE: ps -ef shows login/passwd to Oracle ... Keywords: argc, argv, fork, daemon, ORACLE Message-ID: <1990Dec28.204021.26254@cbnewsm.att.com> Date: 28 Dec 90 20:40:21 GMT References: <1990Dec26.195655.14647@ddsw1.MCS.COM> Distribution: usa Organization: AT&T Bell Laboratories Lines: 38 In article <1990Dec26.195655.14647@ddsw1.MCS.COM>, vijay@ddsw1.MCS.COM (Vijay Gurbani) writes: > Hi Folks: > I need to hide the command line arguments to a daemon that I am writing. > This daemon logs on to an ORACLE database and runs SQL command scripts. The > command line arguments to it are the database user name and password. You > can obviously see the security leak open (for ORACLE tables) to anybody > using the "ps -ef" command. > > The only problem is that on a "ps -ef" the command line arguments still > show. I cannot blank them out. How do I communicate with the external envi- > ronment? Does anybody know how to do this? If so, please drop me a line at > vijay@ddsw1.mcs.com. If there is enough interest, I will post a summary of the > results. > > FYI : OS - System V R3.2 > It seems to me that you are attacking the problem from the wrong side. Shouldn't Oracle provide you a secure method of using their product? I identified this problem several years ago, and got a fix from Oracle. They have since come up with some sort of auto login procedure that no longer requires username/passwd on the command line as an alternative. It picks up your identity from your login (I think), and logs you into the database without a password. Back to the original fix for this problem ... We got Oracle to provide a patch tape to us for UTS. It was a .o file that I linked into sqlplus and sqlforms as a user exit, that overwrote the username/passwd with blanks in the piece of memory that ps looks at. Oracle denied that this could be done, and still do as a matter of fact, but the bottom line is that it does exist, and if you scream loudly enough, you can get it. I am just about to enter into this argument with them again as I have a new machine to get up and running. Hope this helps, Martin Zam (201)564-2554