Store MySQL password in bash-script - mysql

Need to create simple mysql-backup script.
But - how can I store encrypted pass of MySQL user in it?
I want to avoid store password in plaintext type in any additional files.
As I found in MySQL manual:
MySQL encrypts passwords stored in the user table using its own algorithm
So. there is no way to just get hash and set it as variable?
I mean:
DBHASH="cGFzc3dvcmQ="
DBPASS=`echo $DBHASH | openssl enc -base64 -d`
Is there any correct way to sovle it?
Thanks for tips.

It doesn't matter if the script contains a plaintext password or not if it includes a repeatable routine for getting into MySQL (i.e. automatically decrypting) - an attacker would just do the same. If you could pass the hash/decrypted password and have MySQL compare it would be just as repeatable (and the hash would function as a password anyway).
So, the easy answer is: You can't do this. You have some options...
Set up a correctly chmoded (600) ~/.my.cnf with the credentials.
Create a 'restricted', password-less backup-account that is only allowed to log in from localhost.
Only allow backup logins from localhost/backup host in either case.
If you're on Debian you could use the debian-sys-maint account (which has a my.cnf already set up with credentials)
Restrict the mysql account and include the password in the script plain text, but only allow given user/root to read script (if you have root you can take over mysql anyway).
Read/'source' the config variables (username/password) from an external file (with correct chmod - 600)...but you're basically doing the my.cnf-thing by then.
Remember a "backup account" does not need write privileges etc...

afaict, there's no way to do what you're looking for. Whether you store the hash or the original password, you will anyway store very sensible information that might be evil used if someone gets read access to your script.
What you may prefer, is instead setup up an user account that can't login, and setup up mysql so that user has the exact permissions for your script. And also make it so that this user is the only one having exec access to the script.

Related

How to pass the password securely to MySQL Client with automation

I'm seeking for solution to pass the password securely to MySQL client on *nix platforms while using automated script solution (i.e Bash script).
So far, I had to realize that MySQL ignores password input from stdin at all (still asks for password on terminal, crashes on automation).
The worst, solution using ~/.mylogin.cnf also doesn't work for me, it seems MySQL somehow ignores it at all.
I prefer to not to use the command line -p argument for password to prevent described "all-around" security issues.
--defaults-file and --defaults-extra-file handn't give the solution as well, seems like the password is prompted by client at "all-cost".
Therefore, I'm just running out of solutions for that primitive (at first sight) task!
Any help will be highly appreciated!
I'll try to be short in my findings:
First, the solution using mysql --defaults-extra-file="path/to/file" is actually worked for me among with --default-file option until it is passed as the first argument (as well noticed by Bill Karwin here).
Second, usage of ~/mylogin.cnf also workes fine until the file access restricted for all users except the current account the MySQL client is running under + file is restricted from execution even by current user (chmod u-x) as well, possibly treated by MySQL as a threat due to Linux GUI x permission umbrella on many systems (execute permission is enabled for user, group and others by setting one V in GUI for the file). Still this reason is just a suggestion.

Getting password from CPANEL using phpmyadmin

Good Day
I am a front-end developer, and I know little from MySQL and databases.
I have a Wordpress MySQL database in CPanel. Now I forgot my password, and the password for my user as seen in phpmyadmin is hashed/encrypted.
How do I get the password?
NOTE: I do not have access to the Server since this is a website on a shared hosting account, so doing the following is not possible for me:
See this post on Stack
Stop the MySQL process.
Start the MySQL process with the --skip-grant-tables option.
Start the MySQL console client with the -u root option.
List all the users;
SELECT * FROM mysql.user;
Reset password;
UPDATE mysql.user SET Password=PASSWORD('[password]') WHERE User='[username]';
But DO NOT FORGET to
Stop the MySQL process
Start the MySQL Process normally (i.e. without the --skip-grant-tables option)
when you are finished. Otherwise, your database's security could be compromised.
If your website is working you can probably find the mysql user/password
in the config.php file in your wordpress filesystem.
Otherwise:
Your best option is probably to add a user to the database and give it the needed privileges, to do that:
Click MySQL databases.
Create new user.
Assign new user to your database.
Edit config.php on your wordpress filesystem and change to the new username.
This is sub optimal, but will work.
There is a simple way for you to gain access to your WordPress user info if you don't know the password. I'm assuming you are talking about a WordPress user password retrieval. You need to have access and edit privileges to your database to do this.
-Open up phpMyAdmin or however you prefer to access database tables
-Select your database
-Open the table wp_users
-Under the column 'user_login' you will need to find which entry you want to access. Your username should be in one of the row entries.
-Once found, there will be a 'user_pass' column as well. Now some explaining needs to happen. You cannot retrieve your password without hacking/brute forcing that encryption. These are MD5 hash encrypted passwords. What we are going to do is just simply create a new password here. All you have to do is Google "MD5 Hash generator". I tested this on the first result I found and it worked.
-Once you find a website with a generator just simply type in your password and then retrieve the hash that's given to you. For example I typed in 'password' and I receive '5f4dcc3b5aa765d61d8327deb882cf99' Now we have a new encrypted password to set. If you are worried about sites saving your password entries or hashes just make up a password as a temporary fix. Then you can just login with that and change the password via the WordPress Dashboard later.
-Select the row that your username is in. Click Change/Edit then just copy and paste the entire MD5 Hash into the wp_pass column.(Overwrite the old password btw.) Save/Go/Execute to make sure the table was re-written. In this example I would be pasting '5f4dcc3b5aa765d61d8327deb882cf99' into the column without quotes of course.
-Please be sure to only change the 'wp_pass' entry and to make sure it's corresponding to the correct username.(On the same row)
-Now you should be able to login with your new password.('password')

MySQL root-login with SSH private key?

Suppose Mysql -dbs and an admin with a bad habbit to forget the passwords (or paranoid enough wanting more creative authentication, not just password). Is it possible to access Mysql -root shell for example in a way that the Ssh-agent stores the private keys and then I could just login by "mysql -u root" (without typing the passwords or a combination of private-key and a password)?
You can certainly use the normal SSH key authentication to log on to your shell account and then use a ~/.my.cnf file with your password inside. This will be used by default by the mysql command line client.
Its content should be:
[client]
user=the_user_name
password=the_password
Beware that whoever can read this file will be able to use those credentials. Protect it so that only the owner can read it (and lock your terminal if you go away from your keyboard).
If you want direct key-based authentication, you could also use SSL client-certificate authentication. You could create your own small CA and issue yourself with these client-certificates. A number of tools support this if you require direct remote access.

sql open connection in read only mode

Suppose a user has full read/write access to MySQL database. Is there any way (some parameter in connection string) to connect to database by the same username and password in read-only mode?
I want this without changing this user's permissions because the same user might require write permission too at some other time. This would be useful (if possible) to prevent accidental modification to database.
The answer to your question is
No, there's no way to specify read-only access in the connection string.
Alternatives are
1. Create sql user with read permission
MVC3 Read-Only MySql Connection String
2. create views or stored procedures with permissions checking logic in them
MS SQL Grant permission to only a view
MySQL Grant a user permission to only view a mysql view
3. Implement permissions layer in your business logic
Good Luck!
The best solution here is to create another account on the mysql server with readonly permissions, and connect using that.
Depending on your use case and what control you have you could have the code call "set transaction read only" immediately after connecting, or use the --init-command parameter on connect. This worked for a testing use case we have,
Here's the set transaction doc: https://dev.mysql.com/doc/refman/5.7/en/set-transaction.html, similarly you can also set it as a session variable if that makes a difference https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_transaction_read_only.

allowing mysql connection without password

For some reason, when creating a MySQL user with empty password, it only allows connections if the user has the same name as a system user (Ubuntu Server 10.04, MySQL version 5.1.41). According to everything I have read so far, MySQL users ought to be completely separate from the system user accounts, so I'm not sure how to explain what's going on.
Am I doing something wrong? Is there some settings somewhere that affects this?
(Additional info:
I'm setting this up to only allow connections from the local network; some of the tools I'm using on a project require a user without a password.)
This seems likely to be a duplicate, though when I searched I couldn't find any previous question about this issue. If the same question HAS been asked before, I apologize.
here is something i found in mysql docs.
When you assign an account a nonempty password using SET PASSWORD, INSERT, or UPDATE, you must use the PASSWORD() function to encrypt the password, otherwise the password is stored as plaintext. Suppose that you assign a password like this:
mysql> SET PASSWORD FOR
-> 'username'#'localhost' = 'mypass';
The result is that the literal value 'mypass' is stored as the password in the user table, not the encrypted value. When user attempts to connect to the server using this password, the value is encrypted and compared to the value stored in the user table. However, the stored value is the literal string 'mypass', so the comparison fails and the server rejects the connection with an Access denied errorFirst have a user name (other than system name) with some password.
So have a user name of your choice with some passowrd and then use PASSWORD() function to set an empty password. The use of the function can be seen here.