Security Warning: Re: Behaviours of Terminal Versus Script when using "<<"

Thomas Wolff
Thu Sep 16 11:32:00 GMT 2010

On 16.09.2010 09:59, delbydev wrote:
> Hello Thomas
> Noted and already accounted for
... almost; the security hole has changed to a very tiny one with your 
new script;
however, somebody spying on you and monitoring your login multiple times 
could still be lucky to catch the parameters of "echo".
By any strategy of security, this needs to be strictly avoided.
You could instead just edit that file manually once.
Or, if you need to generate it, use the inline input approach (using 
"<<", where we are meeting your original problem, but the context is 
more straightforward).

>   - was just avoiding confusing the actual issue
> The way I approach this is as follows
> Create a directory e.g. .myconns in my home directory with 700 chmod
> permission
> In my .profile (or equivalent)
> export SQLORACLE"=${ORACLE_HOME}\\bin\\sqlplus.exe -s /NOLOG "
> export CONNHOME=${HOME}/.myconns
> REPCONNFILE=${CONNHOME}/.connrep.sql;
> echo conn myuser/mypass@mydbhost>  ${REPCONNFILE}
> chmod 600 ${REPCONNFILE}
> export mydbconn="${SQLORACLE} @${REPCONNFILE}";
> so in the .myconns directory is the connection string - the /NOLOG switch
> prevents sqlplus from actually trying to connect from the shell command
> level. the relevant connection is picked up in the REPCONNFILE
> so a ps will only ever show the value (path) of the REPCONNFILE
> so I can reuse new existing database darter
> ...

> Thomas Wolff-3 wrote:
>>    Am 15.09.2010 19:18, schrieb delbydev:
>>> Hello
>>> Have hunted all over for this one but it seems no one else has reported
>>> the
>>> issue - maybe because they don't use the feature or there is something
>>> awry
>>> with my installation
>>> I write scripts that dart in and out of databases
>>> I bind my Oracle connection string into a number of variables in my
>>> .profile
>>> ORACLE_HOME='c:\\Oracle\\product\\11.2.0\\dbhome_2' export ORACLE_HOME
>>> mydbconn="${ORACLE_HOME}\\bin\\sqlplus -s mydbuser/mydbpass@mydbhost"
>>> export
>>> mydbconn
>>> so when I want to dart into the database - I perform the following from
>>> the
>>> terminal command line
>>> ${mydbconn}
>>> ...
>> Not answering your question (others did), but be aware:
>> It is a very, very bad idea in general to place a password on the
>> command line because every user on your machine can see your password.
>> Do this on your home machine for testing only.
>> ------
>> Thomas
>> --
>> Problem reports:
>> FAQ:         
>> Documentation:
>> Unsubscribe info:

Problem reports:
Unsubscribe info:

More information about the Cygwin mailing list