I'm automating the process of creating WordPress sites with a custom shell script.
Is it possible to encrypt MYSQL passwords with BCrypt for WordPress? If so, what's the best way to approach this?
Snippet:
#!/bin/bash
execute="
CREATE DATABASE IF NOT EXISTS $dbName;
GRANT SELECT, INSERT, UPDATE, DELETE
ON $dbName.*
TO '$dbUser'#'localhost' IDENTIFIED BY '$dbPass';
FLUSH PRIVILEGES;
"
mysql -uroot -p --show-warnings -e "$execute"
With Ruby, I can encrypt it like so:
encryptedPass="$(ruby -e "require'bcrypt';puts BCrypt::Password.create('$dbPass')")"
Write your own WordPress plugin to convert the hashes using BCrypt.
Also, if you plan to go this route, make sure to audit your code thoroughly. I've included two links that have helped me get started down the path and I'm hoping they might help anyone else who's interested in hardening their setup.
http://www.ethicalhack3r.co.uk/greping-for-bugs-in-php/
https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
Related
Unfortunately, I have removed super user privileges from postgres user in PostgreSQL. And currently I have not any super user in PostgreSQL. And i want to make superuser. So how can i make it ? Every time I am trying to make postgres to super user. I am facing this problem.
Error : must be superuser to alter superusers.
(assuming you have root access on Ubuntu machine)
To enter psql as super user you need to:
sudo -u postgres psql
as suggested in this SO post here
If there is no user called postgres you need to create it on system first, with:
sudo adduser newuser
Else, if you have problems with password not accepted or not created at all you can follow (Ubuntu 14.04 related) instructions here or for more on user accounts look here
For me helps:
sudo -u gleb psql postgres
where gleb is my mac system user
Adding to Craig Ringer's answer, here is the procedure for MacOS and Brew if you accidentally downgrade your only PostgreSQL user:
brew services stop postgresql
Wait a few seconds and/or check Activity Monitor to make sure "postgres" is no longer running.
/usr/local/Cellar/postgresql/10.4/bin/postgres --single -D /usr/local/var/postgres
backend> ALTER USER "yourname" with superuser; or whatever privilege you need to fix
CTRL-D
brew services start postgresql
You're going to have to stop the database system and start a stand-alone back-end, which always unconditionally runs as a superuser.
You can use this backend to ALTER the user you wish to give superuser rights to. Then shut the standalone backend down and start the database normally.
It is important that you completely stop the database server before entering single user mode. PostgreSQL single user mode will refuse to start if there's a postmaster, but to be sure you should make sure there are no PostgreSQL processes running on your system. Under (almost) no circumstances should you ever delete postmaster.pid - that's pretty much guaranteed to result in database corruption if there's still any PostgreSQL process accessing that data directory.
Exactly how to start a standalone back-end depends a bit on your OS/distro and how you installed PostgreSQL. You haven't included this info, so I can only really point you at the manual for the postgres back-end executable.
Make a backup first.
In the single-user mode, the session user will be set to the user with ID 1, and implicit superuser powers are granted to this user. This user does not actually have to exist, so the single-user mode can be used to manually recover from certain kinds of accidental damage to the system catalogs.
See the section Options for Single User mode and, toward the bottom, Usage. You'll want to run the postgres backend with --single, as the unix user that owns the database files, with the path to the datadir. On a typical Linux PostgreSQL install this might be something like:
sudo systemctl stop postgresql-9.3.service
sudo -u postgres /usr/pgsql-9.3/bin/postgres --single -D /var/lib/pgsql/9.3/data
Your datadir and postgres executable location are quite possibly different. The above is for a Fedora system running with PGDG PostgreSQL packages from http://yum.postgresql.org/ .
Assuming that your system user is 'ec2-user'
So try this to enter as superuser
psql -U ec2-user postgres
This will enter you as ec2-user as superuser using postgres db
Now, change postgres user roles to superuser
ALTER USER postgres WITH SUPERUSER;
Quit from above console and now you can open psql using postgres user as superuser
psql -U postgres
Note: I tested this on PostgreSQL 12.5
SELECT usename AS role_name,
CASE
WHEN usesuper AND usecreatedb THEN
CAST('superuser, create database' AS pg_catalog.text)
WHEN usesuper THEN
CAST('superuser' AS pg_catalog.text)
WHEN usecreatedb THEN
CAST('create database' AS pg_catalog.text)
ELSE
CAST('' AS pg_catalog.text)
END role_attributes
FROM pg_catalog.pg_user
ORDER BY role_name desc;
log with root_user then give superuser to postgres
I've heard that directly inputting your password on the command line is a bad idea, because anyone could see the "secret" in
mysql -u root -psecret
by browsing history.
I have a password for my MySQL database stored in a text file with limited read permissions, and was wondering if it is safe to access it in the following way:
mysql -u root -p$(cat ~/.mysql_pass)
Browsing history, I see the command printed, not the literal value. So it seems like it's working the way I want it to.
I'm sure there are better ways of handling passwords, I would just like to know whether or not this one is leaving my password completely out in the open.
You've suggested using the following:
mysql -u root -p$(cat ~/.mysql_pass)
However, the subcommand will be expanded before mysql is executed and so even if this isn't available in the command history, it's entirely possible for someone to view the process list just after invocation and see your password.
I think a better approach is to use a mysql client options file and have the mysql command read the password from the options file.
Just type mysql -u root -p and you'll get a prompt to enter your password and it won't be stored in the history.
I am a student learning sql and working an assignment to set up a database in mySQL 5.5 community version. The command I am given does not work as detailed. Here is what I have done so far:
This is the command that I am told to use after setting up mySQL 5.5.
mysql –h localhost –u root -p
This brings back a long screen of help commands. I found out that instead I need to use:
mysql -u root -p. Then I get my password prompt that works. That starts sql. Next I was given these statements to create a user named user1.
USE mysql;
create user ‘user1’#’localhost’ identified by ‘user1’;
grant select, insert, update, delete, create, drop, references, execute on *.* to ‘user1’#’localhost’;
exit
I entered these line by line and they seem to work. No errors are returned. However when I try to start the user with the following commands:
Login as user1
mysql –h localhost –u user1 –p
password is user1
I get a long list of help commands when i exexute the mysql line.
What is incorrect with the commands I have executed and also why? I initially think it may be that these commands were written for an earlier version? I was initially told to reinstall mysql and did that with no errors. I get the same results as before reinstalling it. If I need to explain or add screenshots, I will be glad to do so.
http://dev.mysql.com/doc/refman/5.0/en/connecting.html
mysql -h localhost -u user1 -ppassword database_name_here
Your other option:
mysql -h localhost -u user1 -p database_name_here
But for the second one you will have to type the password.
Sorry for not answering you question specifically, but I recommend you to get an interface to mySQL which makes it all a bit easier. In my case I still use the terminal to perform some queries once in a while, but for user management and to get a better presentation I use phpMyAdmin which makes the whole process much more neat. Good luck!
I need to do encryption / decryption via sql (mysql) in rails. The reason i need this is because i need to do this with thinking sphinx, which talks to my database in sql. What kind of tools do i need, and how do i use them (like what documentation is there, especially for use with rails, if it is not as simple as a gem) for what is out there.
Thanks for any help i get. (im on rails 3 if it helps)
as others have already asked, i am not sure what you are trying to achieve.
I used encryption(loosely used) if someone who you suspect might be accessing info or databases they are not supposed to view. If it helps, you could grant privileges to users to access specific databases within mysql.
Normally if your mysql is a new install you can login to it by doing this:
mysql -u root -p
and then press enter without typing a password then it logs you into mysql
mysql>
Lets assume we have a database called "chicken_farm_development" and we want to grant access to the user "farmer_brown"
Then we could grant privileges to "famer_brown" to only access "chicken_farm_development" database and nothing else in mysql(so farmer_brown cannot access "joes_pizza_development" database). We do this in mysql:
mysql> GRANT ALL PRIVILEGES ON chicken_farm_development.*
-> TO 'farmer_brown'#'localhost'
-> IDENTIFIED BY 'mysecretpassword';
To check that this works:
mysql> SHOW GRANTS FOR 'farmer_brown'#'localhost';
and it should display the grants for farmer_brown.
So how can you use this?
Not really sure how thinking sphinx is setup, but you could grant access for thinking sphinx to use a specific database, without affecting any other databases you might have, and can be extrapolated to production environments.
to login to mysql as farmer_brown, you would do this:
$ mysql -u farmer_brown -p chicken_farm_development
Enter password:
and whooohooo!, farmer brown now only has access to chicken_cms_developement database. In summary you can grant access to specific databases. Hope this helps a little as it was a bit unclear as to what you were asking.
My requirement is to create a user for remote login but without a password. At my remote space I use a bash script to do inserts, which is something like:
for i in {1..5000}; do
mysql -h 11.40.3.169 -uUser -pPass -DDatabaseName <<<
"insert into DatabaseTableName values('$i','dummy_$i');" &
echo -n "$i "
sleep 1
date
done
The problem is that each insert is taking almost 4 seconds, and I can not pinpoint the problem to anything but authentication at every insert. So, if I could create a user in MySQL with minimal authentication involved...Something like:
# I'm trying to remove this password
GRANT ALL PRIVILEGES TO 'user'#'%' IDENTIFIED BY 'password';
...Anything you can suggest.
Just remove the IDENTIFIED BY part:
GRANT ALL PRIVILEGES ON *.* TO 'user'#'%'
Note that remote login from anywhere without a password is a very insecure thing. You better limit the allowed IP range for this user:
GRANT ALL PRIVILEGES ON *.* TO 'user'#'allowed_remote_machine'
You can do this by creating a user with a password and then placing a .my.cnf file in the home directory of the account which runs the bash script containing the following:
[mysql]
user=user
password=pass
[mysqladmin]
user=user
password=pass
This might be better than creating a user with no password.
I think your problem lies in the fact that you are starting the mysql client for each insert. You should be doing your inserts from a php, java, etc program - not from a shell script.
The startup time of the client (and connection to the host) is killing you. I routinely do 1000s of inserts per minute from a php or java program to a MySQL database with millions of records on a small (CPU/memory) machine.
It's not so good idea to have a user without password and all privileges. I suggest you to create a user without password but just with some privileges (insert to specific table or specific database).
First off, using a client cnf file on the remote machine running the script wont speed this up. MySQL client is still sending logon information and logging in for each insert, it's just reading.a file for uid/pw instead of using cmd line arguments. AFAIK The network and authentication overhead are identical. Even the network packet contents will be the same.
You should still use a cnf file..
The way to.improve performance is to do multi-line linserts:
MySQL --defaults-file=/some/uid/pw/etc/.client.cnf -e \
"Insert into
tbl_name
('fld1','fld2')
values
('r1-fld1','r1-fld2'),
('r2-fld2','r2-fld2'),
...and so on (up to max_allowed_packet_size)
('r500-fld2','r500-fld2');"
Or READ DATA INFILE on server side after shipping over the data file