By reporting the process status with ps, any Unix user will see the command line arguments
ps -ef UID PID PPID C STIME TTY TIME CMD lsc 13837 13825 0 May 11 pts/17 0:01 -ksh oracle 4698 6294 0 12:00:40 ? 0:00 sqlplus -s system/manager appluser 4229 4062 0 12:00:03 ? 0:00 sqlldr scott/tiger applrun0 28445 28281 0 11:54:03 ? 0:00 imp king/gold full=y ...
What you see here above is definitely a security issue. For sqlplus, the trick is to use
sqlplus /nolog and then pass
connect system/manager as input or script.
For sqlldr (and exp/imp etc…), the trick is to use a parameter file.
To make it as safe as possible, the file must be unique, readable only for owner and removed after usage.
umask 0077 TMPFILE=$(mktemp) echo "userid=scott/tiger" >$TMPFILE sqlldr parfile=$TMPFILE control=x.ctl silent=header,feedback rm $TMPFILE
mktemp is an Unix utility that creates temp files with unique names.