How to hide password in shell script?


 
Thread Tools Search this Thread
Top Forums Shell Programming and Scripting How to hide password in shell script?
# 1  
Old 09-22-2017
How to hide password in shell script?

I am writing a shell script for sql loader (just copy part of the code) :

For security reason, I have to put the below loginName and password into another separate file instead of in the same file of this script.

Anyone can give me a hand. Thanks.


Shell Script :
Code:
#=================================================
# Run SQL Loader
#=================================================

sqlplus -S loginName@UAT/password <<EOF
  
sqlldr loginName@UAT/password log=$JOBLOG control=$SQLLDR_CTL data=$INFILE errors=10000 direct=true rows=10000

Moderator's Comments:
Mod Comment Please use CODE tags when displaying sample input, output, and code segments.

Last edited by Don Cragun; 09-22-2017 at 04:45 AM.. Reason: Add CODE tags.
# 2  
Old 09-22-2017
Quote:
Originally Posted by Jaewong
I am writing a shell script for sql loader (just copy part of the code) :

For security reason, I have to put the below loginName and password into another separate file instead of in the same file of this script.

Anyone can give me a hand. Thanks.


Shell Script :
Code:
#=================================================
# Run SQL Loader
#=================================================

sqlplus -S loginName@UAT/password <<EOF
  
sqlldr loginName@UAT/password log=$JOBLOG control=$SQLLDR_CTL data=$INFILE errors=10000 direct=true rows=10000

Moderator's Comments:
Mod Comment Please use CODE tags when displaying sample input, output, and code segments.
For a user to execute a shell script, the user has to be able to read the shell script. Storing the name of a file (that can be read by your script) in a script that can be read by the user means that the user can read the file containing the DB username and DB username's password, so there isn't much security added by putting them in a different file. Some systems allow you to create set-UID shell scripts that could be used to run as the DB user and read a file that is only readable by that user, but there aren't many systems that still support set-UID shell scripts (and if you're using a shell that does allow that, you need to be VERY careful to avoid letting someone running your script get access to all of DB user's private files and changing DB user's password).

What operating system and shell are you using?

Can you use C or C++ instead of shell to write your script?
# 3  
Old 09-22-2017
Thanks.
I knew there is no security indeed.
BUT, it is our silly company policy that does not want the user name and password put in the same place in the same script.

Linux server and ksh shell script.

Don't know C or C++.
# 4  
Old 09-22-2017
Quote:
Originally Posted by Jaewong
Thanks.
I knew there is no security indeed.
BUT, it is our silly company policy that does not want the user name and password put in the same place in the same script.

Linux server and ksh shell script.

Don't know C or C++.
Code:
#!/bin/ksh
DATAFILE=/path/to/file/containing/user+password # both on one line separated by a <space>.
JOBLOG="what ever this is"
SQLLDR_CTL="what ever this is"
INFILE="what ever this is"

#=================================================
# Get private data from data file readable by everyone.
#=================================================

read -r loginName password < "$DATAFILE"

#=================================================
# Run SQL Loader
#=================================================

sqlplus -S "$loginName@UAT/$password" <<EOF
  
sqlldr "$loginName@UAT/$password" log="$JOBLOG" control="$SQLLDR_CTL" data="$INFILE" errors=10000 direct=true rows=10000

EOF

My original post had several typos as pointed out by RudiC in a private message. (The read had loginName twice instead of loginName and password and the sqlplus command had unquoted literal strings instead of quoted variable expansions.) I apologize for anyone who read this message before the corrections were made.

Last edited by Don Cragun; 09-22-2017 at 06:22 AM.. Reason: Add quotes to sqlldr command and fix other typos.
# 5  
Old 09-22-2017
Sorry, I may not understand it.

I re-coded it as follows but it returns errors:

goldfish is the loginName
passcode is the password



Code:
#!/bin/ksh
export DATAFILE=/home/bueuat/hcbill/account/goldfish+passcode
export INFILE=${INFILE_PATH}/${JOBNAME}.txt
export JOBLOG=${LOG_PATH}/${JOBNAME}_${DATE}.log
export SQLLDR_CTL=${SQLLDR_CTL_PATH}/${JOBNAME}.ctl

#=================================================
# Get private data from data file readable by everyone.
#=================================================

read -r loginName loginName < "$DATAFILE"

#=================================================
# Run SQL Loader
#=================================================

sqlplus -S $loginName@BUEUAT/$password <<EOF

sqlldr $loginName@BUEUAT/$password log=$JOBLOG control=$SQLLDR_CTL data=$INFILE errors=10000 direct=true rows=10000

---------- Post updated at 05:30 PM ---------- Previous update was at 05:25 PM ----------

Even if I changed the line to :

Code:
 export DATAFILE=/home/bueuat/hcbill/account/goldfish passcode

The system returns this error :

Code:
 passcode: This is not an identifier.


Thanks much.


Moderator's Comments:
Mod Comment Seriously: Please use CODE tags as required by forum rules!

Last edited by RudiC; 09-22-2017 at 06:52 AM.. Reason: Added CODE tags.
# 6  
Old 09-22-2017
No.
Code:
export DATAFILE=/home/bueuat/hcbill/account/goldfish+passcode

should set DATAFILE to the pathname of a file that contains the user's name and the user's password on the first line in that file with the values separated by a space. The read statement does not grab values from the string assigned to DATAFILE; it grabs values from the contents of the file named by that string!

I apologize for my original post (which contained several typos) that you mostly fixed. Please look at the updated suggestion in post #4 (which was updated 2 minutes before your last reply).

To make it slightly less obvious to people looking for passwords, I would suggest that the last component of the absolute path named by DATAFILE should have a period as the first character (such as .secret) so it won't show up in an ls command unless the -a option is included.

Note also that there is no reason to export any of the variables used in this script. You only need to export variables that you want to be available in the environment of processes invoked by your script. Your script depends on the variables INFILE_PATH, JOBNAME, LOG_PATH, DATE, and SQLLDR_CTL_PATH to be exported by whatever process invokes your script.
# 7  
Old 09-22-2017
It works. Thanks to Don.
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Expect Script - Hide password from process table

i have an expect script that runs like this: /usr/bin/expect -f /home/skysmart/commandstoexecute.sh host2.net b$4aff Skysmart when i run this command, and i do a ps -ef and egrep for expect, i see the exact line in the process table and it shows my password for the world to see. how can i... (2 Replies)
Discussion started by: SkySmart
2 Replies

2. Shell Programming and Scripting

How to hide/encrypt password in script?

Hi I have following problem Im writing a script (in bash ) , where need to be written login & passwd for databas client . Its need to in following form login passwd@dbhostname . The problem is so anybody can read it so the passwd & login are visible and thats not very safety . Can... (8 Replies)
Discussion started by: kvok
8 Replies

3. Shell Programming and Scripting

Best way to hide password in bash script?

Dear folks, The title of my thread says mostly all of what I want to do. Basically I want to auto-ssh to a remote host, and run a program on it (VLC is just an example). I wrote a script which calls xterm and then runs expect on it. The code is as follow #!/bin/bash export PASS="xxxxxxx"... (22 Replies)
Discussion started by: dukevn
22 Replies

4. UNIX for Dummies Questions & Answers

How can i hide username/password

hi all, i run sqlplus command on unix(HP-UX) like "sqlplus username/password@serverA @deneme.sql" but when someone run "ps -ef | grep sqlplus", it can see my username and password :( How can i hide username and password. thanx. (1 Reply)
Discussion started by: temhem
1 Replies

5. Shell Programming and Scripting

How Do I Hide the Password in a Script

Hi, I am writing a UNIX .ksh script and need to send the login password of the login id that is executing the script to a command that I am executing in the script. I don't want that password to be seen by anyone except whoever is executing the script. Does anyone know how I can accomplish... (6 Replies)
Discussion started by: samd
6 Replies

6. Shell Programming and Scripting

Want to hide password

All, In my script I am calling another script.. in that script I need to enter a password. Problem is that everyone is able to see the password when I enter that. Is there any way that when i enter that password it should not display or may look like *******. Or if there any other way that I... (1 Reply)
Discussion started by: arpitk
1 Replies

7. Shell Programming and Scripting

How to hide user inputted text for interactive unix shell script?

Hi everybody, Do you know how to hide the text for interactive unix shell script? Just like the case for inputting password during logon. Patrick (1 Reply)
Discussion started by: patrickpang
1 Replies

8. Shell Programming and Scripting

How to hide password on Linux?

Hi falks, I have the following ksh code: echo "Enter VS Admin password:" oldstty=`stty -g` stty -echo intr '$-' read password stty $oldstty echo This code ask from a user to enter his password. The OS suppose to hide the entering of the... (2 Replies)
Discussion started by: nir_s
2 Replies

9. Programming

hide password typing

I am doing a project in C program which requires to type in password in Unix terminal. Does anybody know how to shade or not output any words typed by user in the terminal? I use the function scan() to read typing from user. Thanks in advance. (2 Replies)
Discussion started by: ivancheung
2 Replies

10. Shell Programming and Scripting

Hide code in shell script???

Hello, I am very new to Unix so I want to apologize in advance in case my question is stupid. I wrote a KORN script that I am planning to distribute to many users. This script contains sensitive information that the users should not see: user name and password to our database servers with... (11 Replies)
Discussion started by: alan
11 Replies
Login or Register to Ask a Question