• Developer Zone
• Lists Home
• FAQ

Hi!

Nuno Pereira wrote:
> Michael Stassen wrote:
> 
>> [[...]]
>>
>> echo "unlock table " | mysql -udbuser -pdbpassword -Ddbname 
>> -hlocalhost -P3306
>>
>> The password is on the command line of the commands issued by the 
>> script, so it can be seen with ps.
> 
> 
> That isn't true. If you make a ps, you will see something like "mysql -p 
> x xxxxxxxx ................".

This does not work / happen everywhere, AFAIK. In inexact terms:

When a Unix-style system (including Linux) starts a process, the command 
line arguments are provided by the parent process (typically: the shell) 
which then calls fork() and exec(). Across the exec(), they are stored 
in some system area linked to the process table.
 From there, they are copied to the new program's address space to be 
accessed as the "char **argv" parameter of main().
The program can modify argv, but it cannot modify the system area.

Now AFAIK there are systems where "ps" will look at the program's 
address space and see the changed arguments, but also ones where ps will 
look at the system's address space and see the original arguments (and 
report them!).

> 
> As I said before, you can use something like:
> "mysql -uUser --password=`cat password_file` db"

This does not change anything, as backticks are evaluated by the shell. 
When mysql is started in this way, the password is still a plaintext 
argument.


Jörg

-- 
Joerg Bruehe, Senior Production Engineer
MySQL AB, www.mysql.com