Michael Stassen wrote:
> Nuno Pereira wrote:
>
>> Michael Stassen wrote:
>>
>>> Ehrwin Mina wrote:
>>>
>>>> Jeff,
>>>>
>>>> You can make a shell script or a php script or a perl script by that
>>>> way you can hide the commands you need to execute.
>>>>
>>>> eg.
>>>>
>>>> Make a shell script (myshell.sh)
>>>>
>>>> #!/bin/sh
>>>>
>>>> myuser=dbuser
>>>> mypasswd=dbpassword
>>>> mydb=dbname
>>>> myhost=localhost
>>>> myport=3306
>>>>
>>>> db1=mysql -u$myuser -pmypasswd -Dmydb -h$myhost -P$myport
>>>>
>>>> echo "repair table employee" | $db1
>>>> echo "unlock table " | $db1
>>>>
>>>> exit
>>>
>>>
>>> This is no more secure, as it still puts the password on the command
>>> line. Your script amounts to
>>>
>>> echo "repair table employee" | mysql -udbuser -pdbpassword -Ddbname
>>> -hlocalhost -P3306
>>>
>>> echo "unlock table " | mysql -udbuser -pdbpassword -Ddbname
>>> -hlocalhost -P3306
>>>
>>> The password is on the command line of the commands issued by the
>>> script, so it can be seen with ps.
>>
>>
>> That isn't true. If you make a ps, you will see something like "mysql
>> -p x xxxxxxxx ................".
>
>
> From the manual
> <http://dev.mysql.com/doc/mysql/en/password-security.html>:
>
> shell> mysql -u francis -pfrank db_name
>
> This is convenient but insecure, because your password becomes visible to
> system status programs such as ps that may be invoked by other users to
> display command lines. MySQL clients typically overwrite the command-line
> password argument with zeros during their initialization sequence, but
> there is still a brief interval during which the value is visible.
>
> You see? The client overwrites the password (producing the "x
> xxxxxxxx"), but it is visible via ps until then. That makes you
> vulnerable to ps sniffing. The recommended two methods for secure
> entering of passwords:
>
> * Use -p without the password for interactive clients (you get prompted
> for the password).
>
> * Use an option file to store the password. This works for both
> interactive and non-interactive jobs.
>
> See the manual page referenced above for the details.
>
>> As I said before, you can use something like:
>> "mysql -uUser --password=`cat password_file` db"
>>
>> See http://lists.mysql.com/mysql/186720.
>
>
> You can, but why are you reinventing the wheel? Option files have
> already been provided for this purpose. In what way is storing the
> batch user password in 'password_file' better than than storing it in an
> option file?
Storing in an option file didn't work, so I use this option.
>
> In fact, it is worse. Your shell executes `cat password_file` to get
> "password", then executes `mysql -uUser --password="password" db`.
> Again, the password is briefly visible to ps, until the client
> overwrites it.
>
> Michael
>
>
>
--
Nuno Pereira
