Support Migration Notice: To update migrated JIRA cases click here to open a new case use www.vmware.com/go/sr | vFabric Hyperic 5.7.0 is Now Available

Hyperic HQ

Sybase plugin external process shows the password on ps output

Details

  • Type: Security Review Security Review
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Deferred
  • Affects Version/s: 3.0.5, 3.1.0
  • Fix Version/s: None
  • Component/s: Plugins
  • Case Links:
    none
  • 3.0 Category:
    Plugins

Description

http://forums.hyperic.com/jiveforums/thread.jspa?threadID=2773&tstart=0

I noticed in a "ps -ef | grep hyperic" that hyperic was running a perl script to monitor Sybase with the password available in the command-line sequence. The Sybase monitoring looked great otherwise (in my limited experience), but this feature comes at a price of reduced security.

Not sure if there is any easy way to fix this in the current version, but if this item can be addressed in newer versions of Hyperic, that would be great.

(Scott's response)
Yes this is definitely an issue. Unfortunately any sybase exec that you do non-interactively will have this problem.

I guess we can solve this giving the user an optional command to provide which would return the password at runtime. But there would still be the issue of isql -P<passwd> to run sp_sysmon which is run in a separate process. I wish sp_sysmon returned an actual resultset via jdbc then this wouldn't be an issue at all.

Could you just create a user that only has read access on all the sys tables?

I could run sp_sysmon as that user instead of sa.

Any suggestions are welcome.

Activity

There are no comments yet on this issue.

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
    Last comment:
    7 years, 30 weeks, 4 days ago