Introduction

In some Oracle database utilities, like orapwd, ldap*, rman, sqlplus, the password can be specified as a command line argument. Because of its seducing simplicity it is very easy to use the utilities in such way when developing automation scripts. However, a major security risk is created by such usage because even an unprivileged OS user can read the password just by listing the running processes.

In this blog post I’ll suggest a better alternative for authenticating within an automation framework.

Demo

In this example I’m using  orapwd utility to demonstrate the security risk when passwords are passed to the command line. orapwd creates a password file which stores the passwords for the remote authentication of the privileged accounts.

orapwd

Usage: orapwd file=<fname> entries=<users> force=<y/n> asm=<y/n>
dbuniquename=<dbname> format=<legacy/12> sysbackup=<y/n> sysdg=<y/n>
syskm=<y/n> delete=<y/n> input_file=<input-fname>
 

Usage: orapwd describe file=<fname>

where

file - name of password file (required),

password - password for SYS will be prompted
if not specified at command line.
Ignored, if input_file is specified,

In the usage output above it can be seen that there is indeed the possibility to specify the password to the command line. I’ll demonstrate the security issue in slow motion. First, I’m calling orapwd and specifying the sys password to the command line. At the same time, I’m setting the sysbackup parameter to y to elicit prompting for sysbackup password, which makes the script stop and wait for the input:

orapwd password=dummy file=orapwd${ORACLE_SID} sysbackup=y

Enter password for SYSBACKUP:

While the utility is waiting on the sysbackup password, any OS user can execute the ps command and see the sys password:

ps -ef | grep orapwd

oracle  5599 24451   0  orapwd password=dummy file=orapwdXXXX sysbackup=y

Expect

The described deficiency can be overcome by using Expect . Expect is the framework that has been developed for programmatically simulating the interactive work. Meanwhile, there are expect libraries for almost every program language. Here, I’ll supply an example in Perl which uses the CPAN Expect library. Note that the CPAN Expect library is not standalone, it rather relies on the Expect OS libraries:

1 	#!/u00/oracle/orabase/local/perl/bin/perl -w
2 	use strict ;
3 	use Expect ;
4 	my $expect_obj = Expect->spawn( 
5 	  "$ENV{ORACLE_HOME}/bin/orapwd file=orapw$ENV{ORACLE_SID}" 
6 	) or croak ($!) ;
7 	my @result = $expect_obj->expect(undef , 
8 	  [qr{Enter password for SYS:}, 
9 		sub { 
10		  my $exp = shift; 
11		  $exp->send("test\n"); 
12		  exp_continue; 
13	  }]
14	) ;

The line 3 loads the Expect module. The code on the lines 4-6 creates an Expect object and starts the given command. The line 7 calls the expect method, which waits for the input defined by the regular expression specified in the line 8. The lines 9-13 contain the reference to an anonymous subroutine which gets called when the input matches the regular expression defined in the line 8. The code in the line 11 feeds the password to the orapwd utility. Just for the demonstration purposes I hardcoded the password, but this is something that shouldn’t be done in the real life.

Summary

In this blog post I demonstrated the disadvantages of passing sensitive information as a command line parameter and provided an alternative solution based on Perl and Expect.