tags:

views:

360

answers:

4
+4  Q: 

How can I hide a password/username used in a bash script for accessing MySQL?

I am writing a bash script that I plan to execute via cron. In this script, I want to execute a command against a MySQL database, something like this:

$ mysql -u username -ppassword -e 'show databases;'

For clarity and those not familiar with mysql, the "-u" switch accepts the username for accessing the database and the "-p" is for password (space omitted purposely).

I am looking for a good way to keep the username/password handy for use in the script, but in a manner that will also keep this information secure from prying eyes. I have seen strategies that call for the following:

  1. Keep password in a file: pword.txt
  2. chmod 700 pword.txt (remove permissions for all except the file's owner"
  3. Cat pword.txt into a variable in the script when needed for login.

but I don't feel that this is very secure either (something about keeping passwords in the clear makes me queasy).

So how should I go about safeguarding password that will be used in an automated script on Linux?

+1  A: 

The only truly safe way to guard your password is to encrypt it. But then you have the problem of safeguarding the encryption key. This problem is turtles all the way down.

When the good people who build OpenSsh tackled this problem, they provided a tool called ssh-agent which will hold onto your credentials and allow you to use them to connect to a server at need. But even ssh-agent holds a named socket in the filesystem, and anybody who can get access to that socket can act using your credentials.

I think the only two alternatives are

  • Have a person type a password.

  • Trust the filesystem.

I'd trust only a local filesystem, not a remote mounted one. But I'd trust it.

Security is hell.

Norman Ramsey  2010-01-27 02:44:07
trust the filesystem = trust the sysadmin that manages the server
AJ  2010-01-27 02:52:11
@AJ: Of course. If you don't trust your sysadmin, you may as well give up (or secede). Even an encrypted filesystem is not much protection against a malicious sysadmin who has insider access.
Norman Ramsey  2010-01-27 04:00:41
A: 

I'll agree with Norman that you should have someone type the password. If you just supply the -p flag without an accompanying password, it will prompt the user for it.

Tor Valamo  2010-01-27 02:46:37
No user to enter the password when it's a CRON job.
OMG Ponies  2010-01-27 02:51:28
A: 

Please see the doc for some guidelines. an extra step you can take is to restrict the use of ps command for normal users, if they have the permission to access the server.

ghostdog74  2010-01-27 02:48:22
A: 

One way you can obfuscate the password is to put it into an options file. This is usually located in ~/.my.cnf on UNIX/Linux systems. Here is a simple example showing user and password:

[client]
user=aj
password=mysillypassword
AJ  2010-01-27 02:50:13
This will at least keep the info in one location (albeit in the clear). Does the option file get read when the mysql call is done in a script executed by cron?
shambleh  2010-01-29 03:35:30
@shambleh, on my environment it does. I'm on Debian Etch (4.0).
AJ  2010-01-29 04:48:21

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL