The simplest solution is to keep the password in the .my.cnf file in your home directory. See http://www.mysql.com/doc/en/Option_files.html in the manual.
In the case of root cron jobs then, you need a .my.cnf readable only by root in root's home. It should include
[client] password="mysql_root_password"
As mysql reads the .my.cnf file, this avoids the ps "sniffing" problem, and also keeps the password out of the script. Because you make the .my.cnf file readable only by root, other users can't see it. (If they can see it, you've got bigger problems than just the mysql password).
Michael
David T-G wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dan, et al --
...and then Dan Greene said...
% % you could put a shell script as the actual cron job, and make the
% file only read-able by root, using an environment variable as the
% password passed (defined in shell script file), so that way even if
% someone 'sniffs' the process via 'ps -ef' they don't see the actual
% password (if they happen to catch the setting of the env var that's
% another story, but _much_ less likely)
What, you've never used 'ps aguxwwe' before? Heh.
The closest I might come to a better answer is the same sort of scripted setup but to redirect mysql from a file (or a heredoc) containing the password so that it doesn't show up anywhere in ps. But you still have the password right there in the file; that sure sucks!
This actually brings up a different question: how can one reliably and securely and yet without human interaction run database queries? I've wondered this for a while, and I think I brought it up on this list some time ago, and there was some talk of X.500 certificates, but I don't recall anything beyond that (including any sort of satisfactory answer).
Those of you who store your passwords in the script file for all to see, how do you keep all from seeing them? And those of you who don't, what are you doing to stay secure? And those of you who have a different approach, what is it?
TIA & HAND
:-D
- -- David T-G * There is too much animal courage in
-- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
