This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Security Warning: Re: Behaviours of Terminal Versus Script when using "<<"

From: Thomas Wolff <towo at towo dot net>
To: cygwin at cygwin dot com
Date: Thu, 16 Sep 2010 10:44:32 +0200
Subject: Re: Security Warning: Re: Behaviours of Terminal Versus Script when using "<<"
References: <29720777.post@talk.nabble.com> <4C9122C1.7040902@towo.net> <29725859.post@talk.nabble.com>

On 16.09.2010 09:59, delbydev wrote:

Hello Thomas

Noted and already accounted for

... almost; the security hole has changed to a very tiny one with your new script; however, somebody spying on you and monitoring your login multiple times could still be lucky to catch the parameters of "echo". By any strategy of security, this needs to be strictly avoided. You could instead just edit that file manually once. Or, if you need to generate it, use the inline input approach (using "<<", where we are meeting your original problem, but the context is more straightforward). ------ Thomas

- was just avoiding confusing the actual issue

The way I approach this is as follows
Create a directory e.g. .myconns in my home directory with 700 chmod
permission
In my .profile (or equivalent)


export SQLORACLE"=${ORACLE_HOME}\\bin\\sqlplus.exe -s /NOLOG "
export CONNHOME=${HOME}/.myconns
REPCONNFILE=${CONNHOME}/.connrep.sql;
echo conn myuser/mypass@mydbhost>  ${REPCONNFILE}
chmod 600 ${REPCONNFILE}
export mydbconn="${SQLORACLE} @${REPCONNFILE}";

so in the .myconns directory is the connection string - the /NOLOG switch
prevents sqlplus from actually trying to connect from the shell command
level. the relevant connection is picked up in the REPCONNFILE

so a ps will only ever show the value (path) of the REPCONNFILE
so I can reuse new existing database darter

...

Thomas Wolff-3 wrote:
Am 15.09.2010 19:18, schrieb delbydev:
Hello
Have hunted all over for this one but it seems no one else has reported
the
issue - maybe because they don't use the feature or there is something
awry
with my installation
I write scripts that dart in and out of databases
I bind my Oracle connection string into a number of variables in my
.profile
ORACLE_HOME='c:\\Oracle\\product\\11.2.0\\dbhome_2' export ORACLE_HOME
mydbconn="${ORACLE_HOME}\\bin\\sqlplus -s mydbuser/mydbpass@mydbhost"
export
mydbconn
so when I want to dart into the database - I perform the following from the terminal command line ${mydbconn} ...
Not answering your question (others did), but be aware:
It is a very, very bad idea in general to place a password on the
command line because every user on your machine can see your password.
Do this on your home machine for testing only.
------
Thomas
-- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

References:
- Behaviours of Terminal Versus Script when using "<<"
  - From: delbydev
- Security Warning: Re: Behaviours of Terminal Versus Script when using "<<"
  - From: Thomas Wolff
- Re: Security Warning: Re: Behaviours of Terminal Versus Script when using "<<"
  - From: delbydev

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]