Re: Problem with accesing Oracle from plperlu functionwhen using remote pg client.

On Mon, Mar 16, 2009 at 8:50 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

> Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com> writes:
> > Hmm, I wonder if you could do something malicious with it.
>
> There are any number of scenarios where exposing the client command-line
> contents to other database users represents a security hole, quite
> independently of whether anything falls over depending on the line
> contents. (I wonder whether there are any Oracle clients that accept
> a password on the command line, for instance.)

Sure they let you pass the password on the command line, but they don't
recommend it. Most of the utilities accept the syntax:

utility user/pass(at)instance

Just doing user(at)instance will generally prompt for a password.

Ahh, the number of passwords I've recovered from shell history files as a
consultant... good times :)

The only reason this complaint is directed to us, and not Oracle,
> is that the complainant knows how far he's likely to get complaining
> to Oracle :-(

I don't doubt that. But, like I said, it's really a matter of the
application name. In our case, Postgres falls into that corner case and we
either choose to do something about it or we don't. I put the temporary
solution out there for anyone that has the problem. If we want to fix it
long-term, we'd have to look at one of the previously discussed alternatives
to using (port). I don't particularly care one way or another, but if we
were to change the ps line format, I just wanted to say that I preferred
host:port rather than host(port).

--
Jonah H. Harris, Senior DBA
myYearbook.com