List:General Discussion« Previous MessageNext Message »
From:Michael Stassen Date:July 29 2005 3:41pm
Subject:Re: mysql command line execution
View as plain text  
Nuno Pereira wrote:

> Michael Stassen wrote:
> 
>> Ehrwin Mina wrote:
>>
>>> Jeff,
>>>
>>> You can make a shell script or a php script or a perl script by that 
>>> way you can hide the commands you need to execute.
>>>
>>> eg.
>>>
>>> Make a shell script (myshell.sh)
>>>
>>> #!/bin/sh
>>>
>>> myuser=dbuser
>>> mypasswd=dbpassword
>>> mydb=dbname
>>> myhost=localhost
>>> myport=3306
>>>
>>> db1=mysql -u$myuser -pmypasswd -Dmydb -h$myhost -P$myport
>>>
>>> echo "repair table employee" | $db1
>>> echo "unlock table " | $db1
>>>
>>> exit
>>
>> This is no more secure, as it still puts the password on the command 
>> line. Your script amounts to
>>
>> echo "repair table employee" | mysql -udbuser -pdbpassword -Ddbname 
>> -hlocalhost -P3306
>>
>> echo "unlock table " | mysql -udbuser -pdbpassword -Ddbname 
>> -hlocalhost -P3306
>>
>> The password is on the command line of the commands issued by the 
>> script, so it can be seen with ps.
> 
> That isn't true. If you make a ps, you will see something like "mysql -p 
> x xxxxxxxx ................".

 From the manual <http://dev.mysql.com/doc/mysql/en/password-security.html>:

   shell> mysql -u francis -pfrank db_name

   This is convenient but insecure, because your password becomes visible to
   system status programs such as ps that may be invoked by other users to
   display command lines. MySQL clients typically overwrite the command-line
   password argument with zeros during their initialization sequence, but
   there is still a brief interval during which the value is visible.

You see?  The client overwrites the password (producing the "x xxxxxxxx"), but 
it is visible via ps until then.  That makes you vulnerable to ps sniffing. 
The recommended two methods for secure entering of passwords:

  * Use -p without the password for interactive clients (you get prompted for 
the password).

  * Use an option file to store the password.  This works for both interactive 
and non-interactive jobs.

See the manual page referenced above for the details.

> As I said before, you can use something like:
> "mysql -uUser --password=`cat password_file` db"
> 
> See http://lists.mysql.com/mysql/186720.

You can, but why are you reinventing the wheel?  Option files have already 
been provided for this purpose.  In what way is storing the batch user 
password in 'password_file' better than than storing it in an option file?

In fact, it is worse.  Your shell executes `cat password_file` to get 
"password", then executes `mysql -uUser --password="password" db`.  Again, the 
password is briefly visible to ps, until the client overwrites it.

Michael
Thread
mysql command line executionJeff Richards29 Jul
  • Re: mysql command line executionBruce Dembecki29 Jul
  • Re: mysql command line executionMichael Stassen29 Jul
  • Re: mysql command line executionEhrwin Mina29 Jul
    • Re: mysql command line executionMichael Stassen29 Jul
      • Re: mysql command line executionNuno Pereira29 Jul
        • Re: mysql command line executionMichael Stassen29 Jul
          • Re: mysql command line executionNuno Pereira29 Jul
            • Re: mysql command line executionJason Pyeron29 Jul
              • Re: mysql command line executionNuno Pereira1 Aug
        • Re: mysql command line executionJoerg Bruehe29 Jul
        • Re: mysql command line executionEhrwin Mina1 Aug
          • Re: mysql command line executionEugene Kosov1 Aug
            • RE: mysql command line executionEdwin Cruz1 Aug
              • Re: mysql command line executionNuno Pereira1 Aug
Re: mysql command line executionNuno Pereira2 Aug
Re: mysql command line executionNuno Pereira3 Aug