Hide SQLPlus Password String

Google is somewhat sketchy on what you have to do if you wish to hide the password string passed to SQLPlus on the command line from ps aux to enhance the security of automated processes on servers that may be accessible in part to others.

The answer actually turns out to be quite simple but it is best explained with a snippet of code, the below to be placed in a BASH script.

sqlplus -L /nolog <<EOF >> test.log
CONN user/password@tnsname

To explain the components then.

  • -L tells SQLPlus to only attempt a login once. This means that if access is denied, the account you’re trying to access won’t get locked after 3 attempts.
  • /nolog on the command line forces a prompt without a connection to a server. This allows you to specify a connection string as part of your script instead of on the command line which would then be visible to ps aux.
  • <<EOF indicates that the input to SQLPlus will be a stream of lines, to be read until an EOF is sent on a line.
  • >> test.log logs the output of the activities of SQLPlus to a named file, in this case test.log
  • CONN user/password@tnsname passes your credentials to SQLPlus and causes it to establish a connection with the server sitting behind the TNS name. Being passed this way the credentials will appear neither on ps aux or in test.log
  • @test.sql tells SQLPlus that it should read in and execute the file test.sql
  • EOF terminates the feed in of lines and causes everything fed in thus far to be executed

I hope this ends up saving some head scratching


Possibly related articles

Comments are closed.