Nuno Pereira wrote:
Michael Stassen wrote:
Ehrwin Mina wrote:
Jeff,
You can make a shell script or a php script or a perl script by that
way you can hide the commands you need to execute.
eg.
Make a shell script (myshell.sh)
#!/bin/sh
myuser=dbuser
mypasswd=dbpassword
mydb=dbname
myhost=localhost
myport=3306
db1=mysql -u$myuser -pmypasswd -Dmydb -h$myhost -P$myport
echo "repair table employee" | $db1
echo "unlock table " | $db1
exit
This is no more secure, as it still puts the password on the command
line. Your script amounts to
echo "repair table employee" | mysql -udbuser -pdbpassword -Ddbname
-hlocalhost -P3306
echo "unlock table " | mysql -udbuser -pdbpassword -Ddbname
-hlocalhost -P3306
The password is on the command line of the commands issued by the
script, so it can be seen with ps.
That isn't true. If you make a ps, you will see something like "mysql -p
x xxxxxxxx ................".
From the manual <http://dev.mysql.com/doc/mysql/en/password-security.html>:
shell> mysql -u francis -pfrank db_name
This is convenient but insecure, because your password becomes visible to
system status programs such as ps that may be invoked by other users to
display command lines. MySQL clients typically overwrite the command-line
password argument with zeros during their initialization sequence, but
there is still a brief interval during which the value is visible.
You see? The client overwrites the password (producing the "x xxxxxxxx"), but
it is visible via ps until then. That makes you vulnerable to ps sniffing.
The recommended two methods for secure entering of passwords:
* Use -p without the password for interactive clients (you get prompted for
the password).
* Use an option file to store the password. This works for both interactive
and non-interactive jobs.
See the manual page referenced above for the details.
As I said before, you can use something like:
"mysql -uUser --password=`cat password_file` db"
See http://lists.mysql.com/mysql/186720.
You can, but why are you reinventing the wheel? Option files have already
been provided for this purpose. In what way is storing the batch user
password in 'password_file' better than than storing it in an option file?
In fact, it is worse. Your shell executes `cat password_file` to get
"password", then executes `mysql -uUser --password="password" db`. Again, the
password is briefly visible to ps, until the client overwrites it.
Michael
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
