This example was tested on an Oracle 10 database running on Solaris.
Imagine you have a UNIX user called smithj. He logs into the system database user as follows:
TEST10 > whoami
TEST10 > whoami
smithj
TEST10 > sqlplus system/secret
SQL*Plus: Release 10.2.0.3.0 - Production on Tue Apr 26 15:13:23 2011
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production
With the Partitioning, OLAP and Data Mining options
SQL>
However, while he is doing this, another user, e.g. bloggsf, can use the ps command to see the password for the system database user as follows:
However, while he is doing this, another user, e.g. bloggsf, can use the ps command to see the password for the system database user as follows:
TEST10 > whoami
bloggsf
TEST10 > ps -ef|grep sqlplus|grep -v grep
smithj 4324 29829 0 15:13:23 pts/12 0:00 sqlplus system/secret
TEST10 >
TEST10 >
To stop this happening, smithj should login to the database with the username and wait for Oracle to prompt him for the password:
TEST10 > sqlplus system
SQL*Plus: Release 10.2.0.3.0 - Production on Tue Apr 26 16:12:37 2011
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
Enter password:
SQL*Plus: Release 10.2.0.3.0 - Production on Tue Apr 26 16:12:37 2011
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
Enter password:
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production
With the Partitioning, OLAP and Data Mining options
SQL>
Then bloggsf can see that smithj has logged in to the system user but cannot see the password:
TEST10 > ps -ef|grep sqlplus|grep -v grep
smithj 21306 20953 0 16:12:37 pts/12 0:00 sqlplus system
TEST10 >
No comments:
Post a Comment