How to avoid plain-text passwords in shell scripts

Hello fellow DBAs and readers,

today I want to share with you a good option to avoid having plain-text password on storage as part of scripts or automation efforts.

A few months ago, I discovered an issue with a plain-text password sitting there in a script. Most of the people I talked about it disregarded the issue as “no big deal”. But my concern only grew when I found out that it was a common practice to script like that and I decided to do something about it.

So there are a lot of options out there, if you ask me. You can even have your own code there written in a compiled code. But truth is that given enough time, if a hacker gets that code, they can reverse engineer it to find out what you’re using. Using Python or any other scripting language is even simpler to read if you find the code and thus, is not a good option to have our “encryption method” in the same place as the passwords.

At some point we stumbled upon a good solution provided by Oracle itself: The Oracle Wallet.

If you didn’t know it. You can use it to store external passwords and access them transparently to connect to any Oracle Database.

You can find the whitepaper by clicking >> here <<

According to the whitepaper you can use the the tnsnames.ora file that is located at your $ORACLE_HOME/network/admin directory. But for my use case, I needed to keep that one as clean as possible and use a different tnsnames.ora file.

So I have this special directory where I will have the tnsnames.ora and sqlnet.ora files and the wallet directory. Let’s call it /path/to/tns/files I’ll make my Oracle binaries aware of this location by exporting the TNS_ADMIN environment variable.

Let’s make a long story short and get this done:

1. Create your directory

   mkdir -p /path/to/tns/files/wallet

2. Create tnsnames.ora and sqlnet.ora files

   cd /path/to/tns/files
   vi tnsnames.ora
   vi sqlnet.ora

   • For the sqlnet.ora file use the following content:

     WALLET_LOCATION = 
       (SOURCE = 
         (METHOD = FILE) 
         (METHOD_DATA = 
           (DIRECTORY = /path/to/tns/files/wallet))) 
     SQLNET.WALLET_OVERRIDE = TRUE
     SSL_CLIENT_AUTHENTICATION = FALSE

3. Create the wallet files

   mkstore -wrl /path/to/tns/files/wallet -create

   • Now you’ll see the cwallet.sso and the ewallet.p12 files sitting there.
4. It’s time to start saving your credentials

   mkstore -wrl /path/to/tns/files/wallet -createCredential <DB NAME> <USERNAME> [<PASSWORD>]

You can see I place the password as optional. As you may have guessed already, I don’t want to leave the password there in the command history of my SHELL.

So, finally you can test your connection using sqlplus /@<DB NAME>

AWR: Same SNAP ID, Different Dates

Hello everyone,

Recently I ran into an interesting issue. I created a script to automatically generate AWR + ADDM reports by asking only for the start and end timestamps.

Basically the script looks for the minimum and maximum SNAP_IDs between the start and end times in order to get comprehensive information out of the AWR.

Everything worked well until we got the starting time pointing to last year. But we only store 2 weeks of AWR data. So this seemed like a ghost snapshot.

The issue

2 years working perfectly until we got something like this:

SQL> select distinct snap_id, begin_interval_time, end_interval_time
from dba_hist_snapshot
where snap_id=99999
order by 2;

  SNAP_ID BEGIN_INTERVAL_TIME END_INTERVAL_TIME 
---------- ------------------------- -------------------------
 99999     03-MAY-16 03.30.24.785000 03-MAY-16 03.45.30.203000
 99999     03-MAY-16 03.30.24.810000 03-MAY-16 03.45.30.226000
 99999     03-MAY-16 03.30.24.824000 03-MAY-16 03.45.30.252000
 99999     03-MAY-16 03.30.24.828000 03-MAY-16 03.45.30.227000
 99999     31-JAN-17 12.00.31.899000 31-JAN-17 12.15.37.672000
 99999     31-JAN-17 12.00.31.920000 31-JAN-17 12.15.37.693000
 99999     31-JAN-17 12.00.31.921000 31-JAN-17 12.15.37.697000
 99999     31-JAN-17 12.00.31.921000 31-JAN-17 12.15.37.694000

8 rows selected

So, how can this happen?

Basically, we refreshed this database from another one using RMAN Clone, this means that after the cloning, the databases were identical, including AWR snapshots.

This introduces SNAP_IDs from the source database into the target database, and thus when the target database reaches that same SNAP_ID number, we face this situation.

By issuing a couple more queries, you can find something like this:

SQL> select dbid from v$database
 DBID
-----------
 1234567890

SQL> select dbid, retention from dba_hist_wr_control
 DBID       RETENTION
----------- -----------
 1357924680 40150 0:0:0
 1234567890 60 0:0:0.0 
 2468013579 60 0:0:0.0

The Solution

The solution for this issue is simple enough.

We can use the following stored procedure to cleanup the mess:

dbms_workload_repository.drop_snapshot_range(min,max, db_id)

By following the next few steps you can find the snap range you want to drop and clear them out.

SQL> select min(snap_id), max(snap_id) from dba_hist_snapshot where dbid = 1357924680;

MIN(SNAP_ID)  MAX(SNAP_ID)
------------ -------------
       55555         99999

SQL> exec dbms_workload_repository.drop_snapshot_range(55555,99999, 1357924680);

PL/SQL procedure successfully completed.

SQL> select *from dba_hist_snapshot where dbid = 1357924680;

no rows selected

So, this is it for today! I hope this helps some of you fellow DBAs out there!

NOTE: DB_IDs, SNAP_IDs and timestamps have been modified to protect the identity of the protagonists of this post 😉

Linux Mint – Disable Touchpad on Mouse Connect

Hello my dear readers,

I was struggling with the Touchpad in my laptop as it’s very sensitive and activates even with the softest touch.

Being a shell script enthusiast made me think that some simple, efficient code could for sure make this work. So I did some Googling and found some code that may come handy for this.

The original post by red-lichtie can be found on the LM forums by following this LINK

But for the sake of simplicity, let’s put the code here.

A script: /usr/local/bin/toggleTouchpad.sh (with perms 766 so that only root can call it)

#!/bin/sh
sleep 1
TOUCHPAD_NAME=touchpad
DISPLAY=":0.0"
XAUTHORITY=/var/lib/mdm/:0.Xauth
export DISPLAY XAUTHORITY
tpID=$(xinput list | grep -i $TOUCHPAD_NAME | awk '{ print $6 }' | sed 's/id=//')
case "$1" in
   on)
   /usr/bin/xinput --enable $tpID
   ;;
   off)
   /usr/bin/xinput --disable $tpID
   ;;
esac

And a rule set: /etc/udev/rules.d/99-touchpad-autotoggle.rules

SUBSYSTEM!="usb", GOTO="touchpad-autotoggle_end"
ACTION=="add",    ATTR{bInterfaceClass}="03", ATTR{bInterfaceSubClass}="01", ATTR{bInterfaceProtocol}="02", RUN+="/usr/local/bin/toggleTouchpad.sh off"
ACTION=="remove", ATTR{bInterfaceClass}="03", ATTR{bInterfaceSubClass}="01", ATTR{bInterfaceProtocol}="02", RUN+="/usr/local/bin/toggleTouchpad.sh on"
LABEL="touchpad-autotoggle_end"

These are some awesome 19 lines that solve a requirement that is well-known in the Linux community. Even more outstanding is the fact that while using the very core of the Linux functionalities as SH, udev and xinput; this functionality will work for any Linux distro that doesn’t come with this option already.

For me on Linux Mint

Catharsis – The Planet of the Apes

Greetings my dear readers,

Today I want to get rid of this foul mouth flavor, this weight in my soul that has me asking time after time if I’m doing a good job as a father, husband and person.

Every single day I catch a glance of news that seem to bring along some sort of omen of an imminent apocalypse if we, as in humankind, don’t change the path we’re walking.

Every day we get more and more disconnected, we are more violent, we talk less, we understand each other less and we don’t want to listen to others.

The omnipresent videos of justice by own hand in Venezuela are getting harder and harder to skip. It’s a reality I don’t want to watch. I don’t want to share it. I don’t want to support it. I see with deep concern that this videos become viral too fast and society dumps its frustration in comments that try to justify and exacerbate the violence as a way to get that needed justice.

I must confess that I, feeling frustrated and powerless to create a deep change in our society, have turned my head to the other side, I don’t support this kind of stuff through comments but I haven’t condemned them as well. My sin is to only watch. My sin is not to act. Mea culpa.

I don’t know what the solution may be, but get hold of a thieve and “serve our own justice” do not solve the bigger problem. It doesn’t solve the problem of murderers, narcs, terrorists or the ramping violence in the shape of personal, juridic, social and economic unsafety.

With desperation, I look all over the World and I see violence getting more and more coverage on media and out of it. All of this thanks to the public inaction or even the lust to watch that thing they want to call justice.

Facebook, YouTube, Twitter are filled daily with comments inciting or even supporting violence like the right way to solve the violence-powered problems without realizing that throwing violence towards other people we are actually fueling that same violence to come back to us eventually.

Some for political reasons, others for religion and some more only because of the anarchy, everybody is looking for the same thing: Violence as the way to show up and defend their ideas. This actually nullify the message from the start.

Slowly but without stop, we walk that path, that descending spiral of violence that generates vendetta over vendetta, until it creates a violence shockwave  that will end taking us to that feared post-nuclear apocalypse.

If we behave like animals, or even worst, we’re only building a terrible future even beyond that sci-fi nightmare that was The Planet of the Apes.

Our answer to violence must be the redirection of that energy far away from us. Evade the aggression and subdue the violence. Search for peace and balance in each of our actions, as small as it may be. A single snow crystal can start a slide. It doesn’t matter how small or insignificant  you think an action can be, it generates a chain reaction that can reach farther away than you may imagine.

As for me, I raise my baby girl without yelling , without aggression, without punches, without punishment that creates fear in her. I prefer to raise here with love, respect and words. Lots of words. At her short age of 3 years, she already started to understand that her decisions, in matters that may seem trivial to adults, are important.

I believe that a new generation of human beings that listen more and yell a lot less is the best way to counterattack that wave full of violence that is circling the World. A lot of millennials are like that already, but we need more. We need an awful lot more.

Before yelling, think. Before throwing a punch, talk. Before damaging someone, try to manage your own wrath in a better way. Violence must be, if nothing else works, always the last resort.

---

This World needs more consistent people.
People who actually do what they say. People who love and don’t hate
People that helps and let others help them.

Jesús Sánchez

Give a little Love! <3

This is another short post to share a very nice video to lift up some spirit.

If you give a little love, you can get a little love of your own

If everyone makes a decision to, at least, do one nice action every day, give some love at least once a day, the World would be a better place to live.

Enjoy!