{"id":821,"date":"2016-06-15T22:05:19","date_gmt":"2016-06-15T22:05:19","guid":{"rendered":"http:\/\/nenadnoveljic.com\/blog\/?p=821"},"modified":"2016-06-15T22:07:20","modified_gmt":"2016-06-15T22:07:20","slug":"expect-alternative-supplying-password-command-line","status":"publish","type":"post","link":"https:\/\/nenadnoveljic.com\/blog\/expect-alternative-supplying-password-command-line\/","title":{"rendered":"Expect – Alternative to Supplying Password to Command Line"},"content":{"rendered":"

Introduction<\/h1>\n

In some Oracle database utilities, like orapwd, ldap*, rman,<\/em>\u00a0sqlplus,<\/em>\u00a0<\/em>the password can be specified as a command line argument. Because of its seducing simplicity it is very easy to use the utilities in such way when developing automation scripts. However, a major security risk is created by such usage because\u00a0even an unprivileged\u00a0OS user can read the password just by listing the running processes.<\/p>\n

In this blog post I’ll suggest a better alternative\u00a0for authenticating within an automation framework.<\/p>\n

Demo<\/h1>\n

In this example I’m using\u00a0\u00a0orapwd<\/em> utility to demonstrate the security risk when passwords are passed to the command line. orapwd<\/em> creates a password file which stores the passwords for the remote authentication of the privileged accounts.<\/p>\n

orapwd\r\n\r\nUsage: orapwd file=<fname> entries=<users> force=<y\/n> asm=<y\/n>\r\ndbuniquename=<dbname> format=<legacy\/12> sysbackup=<y\/n> sysdg=<y\/n>\r\nsyskm=<y\/n> delete=<y\/n> input_file=<input-fname>\r\n\u00a0\r\n\r\nUsage: orapwd describe file=<fname>\r\n\r\nwhere\r\n\r\nfile - name of password file (required),\r\n\r\npassword - password for SYS will be prompted\r\nif not specified at command line.<\/span>\r\nIgnored, if input_file is specified,<\/code><\/pre>\n
In the usage output above it can be seen that there is indeed the possibility to specify the password to the command line. I’ll demonstrate the security issue in slow motion. First, I’m calling orapwd<\/em> and specifying the sys<\/em> password\u00a0to the command line. At the same time,\u00a0I’m setting the\u00a0sysbackup<\/em> parameter to y<\/em> to elicit prompting for sysbackup password, which makes the script stop and wait for the input:<\/p>\n
orapwd password=dummy file=orapwd${ORACLE_SID} sysbackup=y<\/span>\r\n\r\nEnter password for SYSBACKUP:<\/u><\/u><\/span><\/code><\/pre>\n
While the utility is waiting on the sysbackup password, any OS user can execute the ps command and see the sys password:<\/p>\n
ps -ef | grep orapwd\r\n\r\noracle\u00a0 5599 24451\u00a0\u00a0 0  orapwd password=dummy<\/span> file=orapwdXXXX sysbackup=y<\/code><\/pre>\n
Expect<\/h1>\n
The described deficiency can be overcome by using Expect<\/a> . Expect is the framework that has been developed for programmatically simulating the interactive work. Meanwhile, there are expect libraries for almost every program language. Here, I’ll supply an example in Perl which uses the CPAN Expect library<\/a>. Note that the CPAN Expect library is not standalone, it rather\u00a0relies on the Expect OS libraries:<\/p>\n
\r\n1 \t#!\/u00\/oracle\/orabase\/local\/perl\/bin\/perl -w\r\n2 \tuse strict ;\r\n3 \tuse Expect ;\r\n4 \tmy $expect_obj = Expect->spawn( \r\n5 \t  \"$ENV{ORACLE_HOME}\/bin\/orapwd file=orapw$ENV{ORACLE_SID}\" \r\n6 \t) or croak ($!) ;\r\n7 \tmy @result = $expect_obj->expect(undef , \r\n8 \t  [qr{Enter password for SYS:}, \r\n9 \t\tsub { \r\n10\t\t  my $exp = shift; \r\n11\t\t  $exp->send(\"test\\n\"); \r\n12\t\t  exp_continue; \r\n13\t  }]\r\n14\t) ;<\/code><\/pre>\n
The line 3 loads the Expect module. The code on the lines 4-6 creates an Expect object and starts the given command. The line 7 calls the expect<\/em> method, which waits for the input defined by the regular expression specified in the line 8. The lines 9-13 contain the reference to an anonymous\u00a0subroutine which gets called when the input matches the regular expression defined in the line 8. The code in the line 11 feeds the password to the orapwd utility. Just for the demonstration purposes I hardcoded the password, but this is something that shouldn’t be done in the real life.<\/p>\n
Summary<\/h1>\n
In this blog post I demonstrated the disadvantages of\u00a0passing sensitive information\u00a0as a command line parameter and provided an alternative solution based on Perl and Expect.<\/p>\n","protected":false},"excerpt":{"rendered":"
The Expect framework can be used as an alternative to passing passwords to the command line.  Continue Reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[5,4],"tags":[],"class_list":["post-821","post","type-post","status-publish","format-standard","hentry","category-oracle","category-perl"],"yoast_head":"\nExpect - Alternative to Supplying Password to Command Line - All-round Database Topics<\/title>\n<meta name=\"description\" content=\"The Expect framework can be used as an alternative to passing password to the command line.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/nenadnoveljic.com\/blog\/expect-alternative-supplying-password-command-line\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Expect - Alternative to Supplying Password to Command Line - All-round Database Topics\" \/>\n<meta property=\"og:description\" content=\"The Expect framework can be used as an alternative to passing password to the command line.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/nenadnoveljic.com\/blog\/expect-alternative-supplying-password-command-line\/\" \/>\n<meta property=\"og:site_name\" content=\"All-round Database Topics\" \/>\n<meta property=\"article:published_time\" content=\"2016-06-15T22:05:19+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2016-06-15T22:07:20+00:00\" \/>\n<meta name=\"author\" content=\"Nenad Noveljic\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@NenadNoveljic\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Nenad Noveljic\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/expect-alternative-supplying-password-command-line\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/expect-alternative-supplying-password-command-line\\\/\"},\"author\":{\"name\":\"Nenad Noveljic\",\"@id\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/#\\\/schema\\\/person\\\/51458d9dd86dbbdd19f5add451d44efa\"},\"headline\":\"Expect – Alternative to Supplying Password to Command Line\",\"datePublished\":\"2016-06-15T22:05:19+00:00\",\"dateModified\":\"2016-06-15T22:07:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/expect-alternative-supplying-password-command-line\\\/\"},\"wordCount\":419,\"commentCount\":0,\"articleSection\":[\"Oracle\",\"Perl\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/expect-alternative-supplying-password-command-line\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/expect-alternative-supplying-password-command-line\\\/\",\"url\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/expect-alternative-supplying-password-command-line\\\/\",\"name\":\"Expect - Alternative to Supplying Password to Command Line - All-round Database Topics\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/#website\"},\"datePublished\":\"2016-06-15T22:05:19+00:00\",\"dateModified\":\"2016-06-15T22:07:20+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/#\\\/schema\\\/person\\\/51458d9dd86dbbdd19f5add451d44efa\"},\"description\":\"The Expect framework can be used as an alternative to passing password to the command line.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/expect-alternative-supplying-password-command-line\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/expect-alternative-supplying-password-command-line\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/expect-alternative-supplying-password-command-line\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Expect – Alternative to Supplying Password to Command Line\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/\",\"name\":\"All-round Database Topics\",\"description\":\"Nenad Noveljic\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/#\\\/schema\\\/person\\\/51458d9dd86dbbdd19f5add451d44efa\",\"name\":\"Nenad Noveljic\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/a97b796613ea48ec8a7b79c8ffe1c685dcffc920c68121f6238d5caab5070670?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/a97b796613ea48ec8a7b79c8ffe1c685dcffc920c68121f6238d5caab5070670?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/a97b796613ea48ec8a7b79c8ffe1c685dcffc920c68121f6238d5caab5070670?s=96&d=mm&r=g\",\"caption\":\"Nenad Noveljic\"},\"sameAs\":[\"nenad-noveljic-9b746a6\",\"https:\\\/\\\/x.com\\\/NenadNoveljic\"],\"url\":\"https:\\\/\\\/nenadnoveljic.com\\\/blog\\\/author\\\/nenad\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Expect - Alternative to Supplying Password to Command Line - All-round Database Topics","description":"The Expect framework can be used as an alternative to passing password to the command line.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/nenadnoveljic.com\/blog\/expect-alternative-supplying-password-command-line\/","og_locale":"en_US","og_type":"article","og_title":"Expect - Alternative to Supplying Password to Command Line - All-round Database Topics","og_description":"The Expect framework can be used as an alternative to passing password to the command line.","og_url":"https:\/\/nenadnoveljic.com\/blog\/expect-alternative-supplying-password-command-line\/","og_site_name":"All-round Database Topics","article_published_time":"2016-06-15T22:05:19+00:00","article_modified_time":"2016-06-15T22:07:20+00:00","author":"Nenad Noveljic","twitter_card":"summary_large_image","twitter_creator":"@NenadNoveljic","twitter_misc":{"Written by":"Nenad Noveljic","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/nenadnoveljic.com\/blog\/expect-alternative-supplying-password-command-line\/#article","isPartOf":{"@id":"https:\/\/nenadnoveljic.com\/blog\/expect-alternative-supplying-password-command-line\/"},"author":{"name":"Nenad Noveljic","@id":"https:\/\/nenadnoveljic.com\/blog\/#\/schema\/person\/51458d9dd86dbbdd19f5add451d44efa"},"headline":"Expect – Alternative to Supplying Password to Command Line","datePublished":"2016-06-15T22:05:19+00:00","dateModified":"2016-06-15T22:07:20+00:00","mainEntityOfPage":{"@id":"https:\/\/nenadnoveljic.com\/blog\/expect-alternative-supplying-password-command-line\/"},"wordCount":419,"commentCount":0,"articleSection":["Oracle","Perl"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/nenadnoveljic.com\/blog\/expect-alternative-supplying-password-command-line\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/nenadnoveljic.com\/blog\/expect-alternative-supplying-password-command-line\/","url":"https:\/\/nenadnoveljic.com\/blog\/expect-alternative-supplying-password-command-line\/","name":"Expect - Alternative to Supplying Password to Command Line - All-round Database Topics","isPartOf":{"@id":"https:\/\/nenadnoveljic.com\/blog\/#website"},"datePublished":"2016-06-15T22:05:19+00:00","dateModified":"2016-06-15T22:07:20+00:00","author":{"@id":"https:\/\/nenadnoveljic.com\/blog\/#\/schema\/person\/51458d9dd86dbbdd19f5add451d44efa"},"description":"The Expect framework can be used as an alternative to passing password to the command line.","breadcrumb":{"@id":"https:\/\/nenadnoveljic.com\/blog\/expect-alternative-supplying-password-command-line\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/nenadnoveljic.com\/blog\/expect-alternative-supplying-password-command-line\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/nenadnoveljic.com\/blog\/expect-alternative-supplying-password-command-line\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/nenadnoveljic.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Expect – Alternative to Supplying Password to Command Line"}]},{"@type":"WebSite","@id":"https:\/\/nenadnoveljic.com\/blog\/#website","url":"https:\/\/nenadnoveljic.com\/blog\/","name":"All-round Database Topics","description":"Nenad Noveljic","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/nenadnoveljic.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/nenadnoveljic.com\/blog\/#\/schema\/person\/51458d9dd86dbbdd19f5add451d44efa","name":"Nenad Noveljic","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/a97b796613ea48ec8a7b79c8ffe1c685dcffc920c68121f6238d5caab5070670?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/a97b796613ea48ec8a7b79c8ffe1c685dcffc920c68121f6238d5caab5070670?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/a97b796613ea48ec8a7b79c8ffe1c685dcffc920c68121f6238d5caab5070670?s=96&d=mm&r=g","caption":"Nenad Noveljic"},"sameAs":["nenad-noveljic-9b746a6","https:\/\/x.com\/NenadNoveljic"],"url":"https:\/\/nenadnoveljic.com\/blog\/author\/nenad\/"}]}},"_links":{"self":[{"href":"https:\/\/nenadnoveljic.com\/blog\/wp-json\/wp\/v2\/posts\/821","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nenadnoveljic.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nenadnoveljic.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nenadnoveljic.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nenadnoveljic.com\/blog\/wp-json\/wp\/v2\/comments?post=821"}],"version-history":[{"count":1,"href":"https:\/\/nenadnoveljic.com\/blog\/wp-json\/wp\/v2\/posts\/821\/revisions"}],"predecessor-version":[{"id":900,"href":"https:\/\/nenadnoveljic.com\/blog\/wp-json\/wp\/v2\/posts\/821\/revisions\/900"}],"wp:attachment":[{"href":"https:\/\/nenadnoveljic.com\/blog\/wp-json\/wp\/v2\/media?parent=821"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nenadnoveljic.com\/blog\/wp-json\/wp\/v2\/categories?post=821"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nenadnoveljic.com\/blog\/wp-json\/wp\/v2\/tags?post=821"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}