Nuno Pereira wrote:
> Michael Stassen wrote:
>> Ehrwin Mina wrote:
>>> You can make a shell script or a php script or a perl script by that
>>> way you can hide the commands you need to execute.
>>> Make a shell script (myshell.sh)
>>> db1=mysql -u$myuser -pmypasswd -Dmydb -h$myhost -P$myport
>>> echo "repair table employee" | $db1
>>> echo "unlock table " | $db1
>> This is no more secure, as it still puts the password on the command
>> line. Your script amounts to
>> echo "repair table employee" | mysql -udbuser -pdbpassword -Ddbname
>> -hlocalhost -P3306
>> echo "unlock table " | mysql -udbuser -pdbpassword -Ddbname
>> -hlocalhost -P3306
>> The password is on the command line of the commands issued by the
>> script, so it can be seen with ps.
> That isn't true. If you make a ps, you will see something like "mysql -p
> x xxxxxxxx ................".
From the manual <http://dev.mysql.com/doc/mysql/en/password-security.html>:
shell> mysql -u francis -pfrank db_name
This is convenient but insecure, because your password becomes visible to
system status programs such as ps that may be invoked by other users to
display command lines. MySQL clients typically overwrite the command-line
password argument with zeros during their initialization sequence, but
there is still a brief interval during which the value is visible.
You see? The client overwrites the password (producing the "x xxxxxxxx"), but
it is visible via ps until then. That makes you vulnerable to ps sniffing.
The recommended two methods for secure entering of passwords:
* Use -p without the password for interactive clients (you get prompted for
* Use an option file to store the password. This works for both interactive
and non-interactive jobs.
See the manual page referenced above for the details.
> As I said before, you can use something like:
> "mysql -uUser --password=`cat password_file` db"
> See http://lists.mysql.com/mysql/186720.
You can, but why are you reinventing the wheel? Option files have already
been provided for this purpose. In what way is storing the batch user
password in 'password_file' better than than storing it in an option file?
In fact, it is worse. Your shell executes `cat password_file` to get
"password", then executes `mysql -uUser --password="password" db`. Again, the
password is briefly visible to ps, until the client overwrites it.