After understanding the problem with using a password in the command line, I need to find a way of feeding a program with a password without it being a problem (without the password being recorded somewhere).
I have a bash script that automatically installs an entire LAMP server from source: Apache, FastCGI, PHP & MySQL.
These installations require a password, especially MySQL.
How can I make the script fully automated without revealing the password?
Edit (9 June, 3:55 UTC):
I'm invoking mysql with a password on the command line, via root:
root@dor-desktop:/home/dor# PASS=`cat /home/dor/tmpf/pass`
root@dor-desktop:/home/dor# mysql -u root -p"$PASS"
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 6
(PASS="p4ssw0rd" in our case)
And I execute ps aux | grep mysql
via my regular user (dor), which doesn't show me the password!
(Some of) ps
output is:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 3562 0.0 0.0 34156 2864 pts/0 S+ 05:53 0:00 mysql -u root -px xxxxxx
How's that possible?
Best Answer
In regard to your update:
When a process is started it has a dedicated area of memory where arguments are stored and a int which tells how many arguments was passed.
MySQL check if password was passed on command line by
-p
, and if it was copy it to a new variable that is not visible, then overwrite that region of memory withx
'es.In simple terms e.g.:
You can find it e.g. in
client/mysqladmin.cc
of the source code:When
ps
run it reads the memory region of the arguments, (argv[N]
), and thus it isxxxx
.For a very short while the password is visible, but only for a few CPU cycles.
You can update the MySQL password using the special
--init-file
option and procedure. C.5.4.1.2. Resetting the Root Password: Unix SystemsEdit:
As @Gilles say, you can
echo
,printf
or usehere
document from a script.You can also add this to
.my.cnf
of your home directory or in a (temporary) file and use the--defaults-extra-file
option. (Believe you have to add that option early on the command line.) optionally also include user. Also note the extra in the option name unless you want to use only that file as configuration:Optionally the
[client]
grouping makesmysqld
skip the configuration.One can also use
MYSQL_PWD
environment variable, but that should never be used as you can list environment, in manyps
implementations byps -e
, in the/proc/<PID>/environ
file on Linux etc.More on the topic here.
You might also want to have a look at the MySQL Configuration Utility which enables you to store password in a encrypted file in your home directory –
.mylogin.cnf
.