Mail Archives: cygwin/2010/09/16/04:45:15

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2010/09/16/04:45:15

X-Recipient: archive-cygwin AT delorie DOT com

X-SWARE-Spam-Status: No, hits=-2.0 required=5.0 tests=AWL,BAYES_00,TW_QL

X-Spam-Check-By: sourceware.org

Message-ID: <4C91D8F0.4070409@towo.net>

Date: Thu, 16 Sep 2010 10:44:32 +0200

From: Thomas Wolff <towo AT towo DOT net>

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.12) Gecko/20100824 Lightning/1.0b1 Thunderbird/3.0.7

MIME-Version: 1.0

To: cygwin AT cygwin DOT com

Subject: Re: Security Warning: Re: Behaviours of Terminal Versus Script when using "<<"

References: <29720777 DOT post AT talk DOT nabble DOT com> <4C9122C1 DOT 7040902 AT towo DOT net> <29725859 DOT post AT talk DOT nabble DOT com>

In-Reply-To: <29725859.post@talk.nabble.com>

X-IsSubscribed: yes

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

On 16.09.2010 09:59, delbydev wrote:
> Hello Thomas
>
> Noted and already accounted for
... almost; the security hole has changed to a very tiny one with your 
new script;
however, somebody spying on you and monitoring your login multiple times 
could still be lucky to catch the parameters of "echo".
By any strategy of security, this needs to be strictly avoided.
You could instead just edit that file manually once.
Or, if you need to generate it, use the inline input approach (using 
"<<", where we are meeting your original problem, but the context is 
more straightforward).
------
Thomas

>   - was just avoiding confusing the actual issue
>
> The way I approach this is as follows
> Create a directory e.g. .myconns in my home directory with 700 chmod
> permission
> In my .profile (or equivalent)
>
>
> export SQLORACLE"=${ORACLE_HOME}\\bin\\sqlplus.exe -s /NOLOG "
> export CONNHOME=${HOME}/.myconns
> REPCONNFILE=${CONNHOME}/.connrep.sql;
> echo conn myuser/mypass AT mydbhost>  ${REPCONNFILE}
> chmod 600 ${REPCONNFILE}
> export mydbconn="${SQLORACLE} @${REPCONNFILE}";
>
> so in the .myconns directory is the connection string - the /NOLOG switch
> prevents sqlplus from actually trying to connect from the shell command
> level. the relevant connection is picked up in the REPCONNFILE
>
> so a ps will only ever show the value (path) of the REPCONNFILE
> so I can reuse new existing database darter
>
> ...
>    


> Thomas Wolff-3 wrote:
>    
>>    Am 15.09.2010 19:18, schrieb delbydev:
>>      
>>> Hello
>>> Have hunted all over for this one but it seems no one else has reported
>>> the
>>> issue - maybe because they don't use the feature or there is something
>>> awry
>>> with my installation
>>>
>>> I write scripts that dart in and out of databases
>>>
>>> I bind my Oracle connection string into a number of variables in my
>>> .profile
>>>
>>> ORACLE_HOME='c:\\Oracle\\product\\11.2.0\\dbhome_2' export ORACLE_HOME
>>> mydbconn="${ORACLE_HOME}\\bin\\sqlplus -s mydbuser/mydbpass AT mydbhost"
>>> export
>>> mydbconn
>>>
>>> so when I want to dart into the database - I perform the following from
>>> the
>>> terminal command line
>>> ${mydbconn}
>>> ...
>>>        
>> Not answering your question (others did), but be aware:
>> It is a very, very bad idea in general to place a password on the
>> command line because every user on your machine can see your password.
>> Do this on your home machine for testing only.
>> ------
>> Thomas
>>
>> --
>> Problem reports:       http://cygwin.com/problems.html
>> FAQ:                   http://cygwin.com/faq/
>> Documentation:         http://cygwin.com/docs.html
>> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>>      

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status:	No, hits=-2.0 required=5.0 tests=AWL,BAYES_00,TW_QL
X-Spam-Check-By:	sourceware.org
Message-ID:	<4C91D8F0.4070409@towo.net>
Date:	Thu, 16 Sep 2010 10:44:32 +0200
From:	Thomas Wolff <towo AT towo DOT net>
User-Agent:	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.12) Gecko/20100824 Lightning/1.0b1 Thunderbird/3.0.7
MIME-Version:	1.0
To:	cygwin AT cygwin DOT com
Subject:	Re: Security Warning: Re: Behaviours of Terminal Versus Script when using "<<"
References:	<29720777 DOT post AT talk DOT nabble DOT com> <4C9122C1 DOT 7040902 AT towo DOT net> <29725859 DOT post AT talk DOT nabble DOT com>
In-Reply-To:	<29725859.post@talk.nabble.com>
X-IsSubscribed:	yes
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com