Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 15 Feb 2007 13:44:29 -0500
From:      "David Robillard" <david.robillard@gmail.com>
To:        "FreeBSD Questions" <freebsd-questions@freebsd.org>
Cc:        Dak Ghatikachalam <dghatikachalam@gmail.com>
Subject:   Re: Ksh Shell script security question.
Message-ID:  <226ae0c60702151044p547880b7mfd52d48567a704fb@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
> I am am puzzled how to secure this code when this shell script is
> being executed.
>
> ${ORACLE_HOME}/bin/sqlplus -s  <<EOF | tee -a  ${RESTOREFILE}
>        connect system/ugo8990d
>        set heading off
>        set feedback off
>        set pagesize 500
>        select 'SCN_TO_USE | '||max(next_change#)   from V\$LOG_HISTORY;
>        quit
> EOF
>
> When I run this code from shell script in /tmp directory it spews
> file called /tmp/sh03400.000 in that I have this entire code visible.

Hi Dak,

The reason you can see the code in ${RESTOREFILE} is because of the
tee command. With `tee -a` you're actually asking to have the code
installed in ${RESTOREFILE}.

Now, one way to secure this is to set a restrictive umask at the start
of the script. For example, setting `umask 0077` will cause your
script to generate files which will only be read/write for the user
who runs the script. But the files will still have you username/passwd
in them.

To remove the username/passwd from the files, may I suggest you change
your code to include the username/passwd into the sqlplus command.
Like this for example:

export ORACLE_SID="your_oracle_sid"

sqlplus "${USERNAME}/${PASSWORD}" -s <<-EOF | tee -a ${RESTOREFILE}.
        set heading off
        set feedback off
        set pagesize 500
        select 'SCN_TO_USE | '||max(next_change#)   from V\$LOG_HISTORY;
        quit
EOF

This will still generate a file, but the username/password won't be
there. Of course, that means you need to hide your credentials in an
encrypted file eslwhere on your machine.
You can then setup code that will check the md5 sum of the password
file and use something like OpenSSL or GPG to encrypt/decrypt the
file.

Have fun,

David
-- 
David Robillard
UNIX systems administrator & Oracle DBA
CISSP, RHCE & Sun Certified Security Administrator
Montreal: +1 514 966 0122

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?226ae0c60702151044p547880b7mfd52d48567a704fb>