On Mon, Mar 16, 2009 at 8:50 PM, Tom Lane
<tgl@sss.pgh.pa.us> wrote:
There are any number of scenarios where exposing the client command-line
contents to other database users represents a security hole, quite
independently of whether anything falls over depending on the line
contents. (I wonder whether there are any Oracle clients that accept
a password on the command line, for instance.)
Sure they let you pass the password on the command line, but they don't recommend it. Most of the utilities accept the syntax:
utility user/pass@instance
Just doing user@instance will generally prompt for a password.
Ahh, the number of passwords I've recovered from shell history files as a consultant... good times :)
The only reason this complaint is directed to us, and not Oracle,
is that the complainant knows how far he's likely to get complaining
to Oracle :-(
I don't doubt that. But, like I said, it's really a matter of the application name. In our case, Postgres falls into that corner case and we either choose to do something about it or we don't. I put the temporary solution out there for anyone that has the problem. If we want to fix it long-term, we'd have to look at one of the previously discussed alternatives to using (port). I don't particularly care one way or another, but if we were to change the ps line format, I just wanted to say that I preferred host:port rather than host(port).
--
Jonah H. Harris, Senior DBA
myYearbook.com