I am am puzzled how to secure this code when this shell script is
being executed.

${ORACLE_HOME}/bin/sqlplus -s  <<EOF | tee -a  ${RESTOREFILE}
       connect system/ugo8990d
       set heading off
       set feedback off
       set pagesize 500
       select 'SCN_TO_USE | '||max(next_change#)   from V\$LOG_HISTORY;

When I run this code from shell script in /tmp directory it spews
file called /tmp/sh03400.000 in that I have this entire code visible.

Hi Dak,

The reason you can see the code in ${RESTOREFILE} is because of the
tee command. With `tee -a` you're actually asking to have the code
installed in ${RESTOREFILE}.

Now, one way to secure this is to set a restrictive umask at the start
of the script. For example, setting `umask 0077` will cause your
script to generate files which will only be read/write for the user
who runs the script. But the files will still have you username/passwd
in them.

To remove the username/passwd from the files, may I suggest you change
your code to include the username/passwd into the sqlplus command.
Like this for example:

export ORACLE_SID="your_oracle_sid"

sqlplus "${USERNAME}/${PASSWORD}" -s <<-EOF | tee -a ${RESTOREFILE}.
       set heading off
       set feedback off
       set pagesize 500
       select 'SCN_TO_USE | '||max(next_change#)   from V\$LOG_HISTORY;

This will still generate a file, but the username/password won't be
there. Of course, that means you need to hide your credentials in an
encrypted file eslwhere on your machine.
You can then setup code that will check the md5 sum of the password
file and use something like OpenSSL or GPG to encrypt/decrypt the

Have fun,

David Robillard
UNIX systems administrator & Oracle DBA
CISSP, RHCE & Sun Certified Security Administrator
Montreal: +1 514 966 0122
freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to