Security of passwords in bash subcommands - mysql

I've heard that directly inputting your password on the command line is a bad idea, because anyone could see the "secret" in
mysql -u root -psecret
by browsing history.
I have a password for my MySQL database stored in a text file with limited read permissions, and was wondering if it is safe to access it in the following way:
mysql -u root -p$(cat ~/.mysql_pass)
Browsing history, I see the command printed, not the literal value. So it seems like it's working the way I want it to.
I'm sure there are better ways of handling passwords, I would just like to know whether or not this one is leaving my password completely out in the open.

You've suggested using the following:
mysql -u root -p$(cat ~/.mysql_pass)
However, the subcommand will be expanded before mysql is executed and so even if this isn't available in the command history, it's entirely possible for someone to view the process list just after invocation and see your password.
I think a better approach is to use a mysql client options file and have the mysql command read the password from the options file.

Just type mysql -u root -p and you'll get a prompt to enter your password and it won't be stored in the history.

Related

Is there a way to set my root password permanently in MySQL via command line without "mysql -u root -p" every time? [duplicate]

You can avoid re-entering mysql command line password by putting the queries into a file.
In my case, the later queries are not determined until after the first queries have finished.
This happens in a non-interactive script so running a mysql console is not an option.
Is there any notion of a session for mysql command line interactions? Or can I set it up to listen for commands on a local unix socket (the output is required to be returned)? Or something like that?
User #smcjones mentions using the .my.cnf file or mysql_config_editor. Those are good suggestions, I give my +1 vote to him.
Another solution is to put the credentials in any file of your choosing and then specify that file when you invoke MySQL tools:
mysql --defaults-extra-file=my_special.cnf ...other arguments...
And finally, just for completeness, you can use environment variables for some options, like host and password. But strangely, not the user. See http://dev.mysql.com/doc/refman/5.7/en/environment-variables.html
export MYSQL_HOST="mydbserver"
export MYSQL_PWD="Xyzzy"
mysql ...other arguments...
I don't really recommend using an environment variable for the password, since anyone who can run ps on your client host can see the environment variables for the mysql client process.
There are a few ways to handle this in MySQL.
Put password in hidden .my.cnf in the home directory of the user the script is running as.
[client]
user=USER
password=PASSWORD
Use mysql_config_editor
mysql_config_editor set --login-path=client --host=localhost
--user=localuser --password
When prompted to enter your password, enter it like you otherwise would.
IMO this is the worst option, but I'll add it for the sake of completeness.
You could always create a function wrapper for MySQL that appends your set password.
#! /bin/bash
local_mysql_do_file() {
mysql -u localuser -h localhost -pPASSWORD_NO_SPACE < $1
}
# usage
local_mysql_do_file file.sql

Why can't I pipe a password into mysql non-interactively?

I want to run mysql client, giving the password non-interactively.
The standard solution is this
mysql -u root -e "foo" -p < password_file
but my situation is this
produce_password | mysql -u root -p
Here, mysql prompts for a password, even though data is being piped in. (Yes, produce_password is emitting data; echo foo | mysql behaves the same way.)
The Internet seems to think the above should work, but the fact is it doesn't. The workaround would be
produce_password > password_file
mysql -u root -p < password_file
rm password_file
But let's say I don't want to do this (e.g. policy demands that this password never be written to the disk)
How can I make mysql take the password from the input process without prompting, as it would for a file?
With thanks to fancyPants for explaining the cause, here is a solution which meets my requirements. (The encrypted .mylogin.cnf with mysql_config_editor isn't right for me, but thanks.)
To satisfy the security policy, mount /ramfs as a ramfs temporary file system. Assume file permissions are suitably restrictive.
ramdir="/ramfs"
cnf="$(mktemp "$ramdir/this-script-name-XXXXX")"
pw="$(produce_password)"
cat >"$cnf" <<EOF
[client]
user=root
password="$pw"
EOF
mysql --defaults-extra-file="$cnf" -e 'select 1'
rm "$cnf"
the problem with that is the password shows up in the process list.
But you can do this.
mysql --defaults-file=<(echo '[client]'; echo 'user=USERNAME'; echo "password=$mysqlpassword";)
It shows up in the process list like this.
mysql --defaults-file=/dev/fd/63
so the <() creates a file handle to the output of your commands.
This works with command line options that are expecting a file.
I don't know how to explain this, but when you pipe something, the stdout of the first program is forwarded to the stdin of the second program. You somehow confuse this, with the command line or whatever. You can pipe something to mysql, of course, but whatever you pipe is handled after you've authenticated yourself.
The solution would be
mysql -u root -p$(produce_password)
This generates your password with whatever program you have there and puts it in the right place on your commandline (my english is bad, can't explain better). When you have it in a file you could do
mysql -u root -p$(cat file)
I don't know, why you want to do it this way anyway, but you might be interested in having an encrypted file with your credentials, that you can use to log in without specifying a password. Read more about it here.
The easiest way is to declare the environment variable MYSQL_PWD.
Example:
$ export MYSQL_PWD=$(produce the password if required)
$ mysql -h example.org -u username
Remember you should not use -p in this case.

Can I enter password once for multiple mysql command line invocations, where the queries are not known upfront?

You can avoid re-entering mysql command line password by putting the queries into a file.
In my case, the later queries are not determined until after the first queries have finished.
This happens in a non-interactive script so running a mysql console is not an option.
Is there any notion of a session for mysql command line interactions? Or can I set it up to listen for commands on a local unix socket (the output is required to be returned)? Or something like that?
User #smcjones mentions using the .my.cnf file or mysql_config_editor. Those are good suggestions, I give my +1 vote to him.
Another solution is to put the credentials in any file of your choosing and then specify that file when you invoke MySQL tools:
mysql --defaults-extra-file=my_special.cnf ...other arguments...
And finally, just for completeness, you can use environment variables for some options, like host and password. But strangely, not the user. See http://dev.mysql.com/doc/refman/5.7/en/environment-variables.html
export MYSQL_HOST="mydbserver"
export MYSQL_PWD="Xyzzy"
mysql ...other arguments...
I don't really recommend using an environment variable for the password, since anyone who can run ps on your client host can see the environment variables for the mysql client process.
There are a few ways to handle this in MySQL.
Put password in hidden .my.cnf in the home directory of the user the script is running as.
[client]
user=USER
password=PASSWORD
Use mysql_config_editor
mysql_config_editor set --login-path=client --host=localhost
--user=localuser --password
When prompted to enter your password, enter it like you otherwise would.
IMO this is the worst option, but I'll add it for the sake of completeness.
You could always create a function wrapper for MySQL that appends your set password.
#! /bin/bash
local_mysql_do_file() {
mysql -u localuser -h localhost -pPASSWORD_NO_SPACE < $1
}
# usage
local_mysql_do_file file.sql

Creating a Symbolic Link to Access MySQL with Automatic Login

I am looking for a simpler way to log in to MySQL through the terminal without having to input my username and password each time.
I am using MAMP and to access my databases, I just simply type mysql and it is accessed. To do that I just created a symbolic link ln -s /Applications/MAMP/Library/bin/mysql /bin but to be able to create databases and such I need to be logged in. I know I can do that by typing mysql -uroot -ppassword but that's a bit of a pain to type each time. Is their a way to use a symbolic link like to add attributes? Say like ln -s /Applications/MAMP/Library/bin/mysql -uroot -ppassword?
Symlinks cannot contain command-line options.
You could instead place your credentials in an option file. If stored in a default location (such as ~/.my.cnf), you won't even need to tell mysql to read it.
[client]
user=root
password=foobar
Beware, especially if doing this for the root user, that anyone with read access to your option file will be able to login as your user.

Weird mySQL behavior in Ubuntu 10.10

I'm having some serious trouble with a freshly installed copy of mySQL server under Ubuntu 10.10. I installed with apt and supplied a password at that time. Installation went fine, but the server is behaving very strangely.
First, to test the database, I created a php file with
mysql_connect("localhost", "root", "myPassword") or die(mysql_error());
where myPassword is the one I entered when it asked, during installation. That gave me an access denied error. I tried to shell into the mySQL server to pursue a solution I read about. The normal syntax didn't work, and to get anything but "access denied", I had to do
mysql -u root password myPassword
However, instead of a mysql shell, it just spits out a list of parameters and variables. So at this point, I'm stumped; I haven't worked with mySQL through a command line in a couple of years, but none of this behavior is familiar, and I can't find a way to interact with the server.
Any help would be appreciated.
The mysql command-line parameter for supplying a password is -p, not password. You should also leave out spaces. For example:
mysql -uroot -pmyPassword
If you don't want to risk your password being exposed...
mysql -uroot -p
...will prompt you for your password and hide the characters as you type them.
If you have apparmor installed (this is default) it can cause problems when you go outside the narrowly-defined defaults set up by ubuntu.
The things that mysql is allowed to touch is defined here: /etc/apparmor.d/abstractions/mysql
If you've put your socket file elsewhere, you would get an access-denied message.
To look at things more closely, run your mysql client like so:
strace -e file mysql <blah blah>
This will print out any system-level file operations on stderr. You can then see exactly which operation is causing the permissions error. If you don't see an issue, you might use -e network instead, to see network operations.