By reporting the process status with ps, any Unix user will see the command line arguments
UID PID PPID C STIME TTY TIME CMD
lsc 13837 13825 0 May 11 pts/17 0:01 -ksh
oracle 4698 6294 0 12:00:40 ? 0:00 sqlplus -s system/manager
appluser 4229 4062 0 12:00:03 ? 0:00 sqlldr scott/tiger
applrun0 28445 28281 0 11:54:03 ? 0:00 imp king/gold full=y
What you see here above is definitely a security issue. For sqlplus, the trick is to use
sqlplus /nolog and then pass
connect system/manager as input or script.
For sqlldr (and exp/imp etc…), the trick is to use a parameter file.
To make it as safe as possible, the file must be unique, readable only for owner and removed after usage.
echo "userid=scott/tiger" >$TMPFILE
sqlldr parfile=$TMPFILE control=x.ctl silent=header,feedback
mktemp is an Unix utility that creates temp files with unique names.