Michael Stassen wrote:
Nuno Pereira wrote:
Michael Stassen wrote:
Ehrwin Mina wrote:
Jeff,
You can make a shell script or a php script or a perl script by that
way you can hide the commands you need to execute.
eg.
Make a shell script (myshell.sh)
#!/bin/sh
myuser=dbuser
mypasswd=dbpassword
mydb=dbname
myhost=localhost
myport=3306
db1=mysql -u$myuser -pmypasswd -Dmydb -h$myhost -P$myport
echo "repair table employee" | $db1
echo "unlock table " | $db1
exit
This is no more secure, as it still puts the password on the command
line. Your script amounts to
echo "repair table employee" | mysql -udbuser -pdbpassword -Ddbname
-hlocalhost -P3306
echo "unlock table " | mysql -udbuser -pdbpassword -Ddbname
-hlocalhost -P3306
The password is on the command line of the commands issued by the
script, so it can be seen with ps.
That isn't true. If you make a ps, you will see something like "mysql
-p x xxxxxxxx ................".
From the manual
<http://dev.mysql.com/doc/mysql/en/password-security.html>:
shell> mysql -u francis -pfrank db_name
This is convenient but insecure, because your password becomes visible to
system status programs such as ps that may be invoked by other users to
display command lines. MySQL clients typically overwrite the command-line
password argument with zeros during their initialization sequence, but
there is still a brief interval during which the value is visible.
You see? The client overwrites the password (producing the "x
xxxxxxxx"), but it is visible via ps until then. That makes you
vulnerable to ps sniffing. The recommended two methods for secure
entering of passwords:
* Use -p without the password for interactive clients (you get prompted
for the password).
* Use an option file to store the password. This works for both
interactive and non-interactive jobs.
See the manual page referenced above for the details.
As I said before, you can use something like:
"mysql -uUser --password=`cat password_file` db"
See http://lists.mysql.com/mysql/186720.
You can, but why are you reinventing the wheel? Option files have
already been provided for this purpose. In what way is storing the
batch user password in 'password_file' better than than storing it in an
option file?
Storing in an option file didn't work, so I use this option.
In fact, it is worse. Your shell executes `cat password_file` to get
"password", then executes `mysql -uUser --password="password" db`.
Again, the password is briefly visible to ps, until the client
overwrites it.
Michael
--
Nuno Pereira
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
