Date: Thu, 15 Feb 2007 13:44:29 -0500 From: "David Robillard" <david.robillard@gmail.com> To: "FreeBSD Questions" <freebsd-questions@freebsd.org> Cc: Dak Ghatikachalam <dghatikachalam@gmail.com> Subject: Re: Ksh Shell script security question. Message-ID: <226ae0c60702151044p547880b7mfd52d48567a704fb@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
> I am am puzzled how to secure this code when this shell script is > being executed. > > ${ORACLE_HOME}/bin/sqlplus -s <<EOF | tee -a ${RESTOREFILE} > connect system/ugo8990d > set heading off > set feedback off > set pagesize 500 > select 'SCN_TO_USE | '||max(next_change#) from V\$LOG_HISTORY; > quit > EOF > > When I run this code from shell script in /tmp directory it spews > file called /tmp/sh03400.000 in that I have this entire code visible. Hi Dak, The reason you can see the code in ${RESTOREFILE} is because of the tee command. With `tee -a` you're actually asking to have the code installed in ${RESTOREFILE}. Now, one way to secure this is to set a restrictive umask at the start of the script. For example, setting `umask 0077` will cause your script to generate files which will only be read/write for the user who runs the script. But the files will still have you username/passwd in them. To remove the username/passwd from the files, may I suggest you change your code to include the username/passwd into the sqlplus command. Like this for example: export ORACLE_SID="your_oracle_sid" sqlplus "${USERNAME}/${PASSWORD}" -s <<-EOF | tee -a ${RESTOREFILE}. set heading off set feedback off set pagesize 500 select 'SCN_TO_USE | '||max(next_change#) from V\$LOG_HISTORY; quit EOF This will still generate a file, but the username/password won't be there. Of course, that means you need to hide your credentials in an encrypted file eslwhere on your machine. You can then setup code that will check the md5 sum of the password file and use something like OpenSSL or GPG to encrypt/decrypt the file. Have fun, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?226ae0c60702151044p547880b7mfd52d48567a704fb>