[CentOS] No MySQL password in ps aux!

Craig White craig.white at ttiltd.com
Tue Sep 13 15:42:12 UTC 2011 

On Sep 13, 2011, at 2:36 AM, Dotan Cohen wrote:

> On Mon, Sep 12, 2011 at 23:25, Craig White <craig.white at ttiltd.com> wrote:
>> create a proper .my.cnf file - problem solved
>> 
> 
> There are other users who have root access (yes, I know, bad idea but
> it's not my box) who I don't want playing around in the mysql cli (I'm
> being a bully here, I know, but they are PHP guys). They can access
> MySQL via PHP and when something breaks it is in an environment that
> they are professionally expected to be proficient in. Not to be a
> jerk, but in any group of high-level-language programmers there is the
> one who will experiment on a production webserver instead of
> installing Linux on his machine at home. I started off as that guy!
> Yes, I know that the PHP guys can get the password by looking in the
> mysqlConnection.inc file that they typically include() so that
> sensitive information is not in the root path. Total security is not
> my goal, but rather reasonable obstacles to friendly, non-malicious
> entities.
> 
> In other words, I want a pony. I want a single command to log in from
> my own machine right to the mysql cli, but I don't want anyone else to
> have simple access to that cli. Actually, I pretty much do have that
> pony. I just wondered how ti worked.
----
I'm sorry, I was trying to make a point about the methodologies employed to better enhance security **especially** when you have other users on the same system... the point is that you should never use any command line function that includes the password for many reasons including ps visibility (and note that even if ps output suppresses the passed parameters, there still might be evidence in /proc), bash_history (or other shell histories), or just simply keylogging (which can be done by anyone with a shell on the system, su or not). The idea is that you open a connection first, establish a method of encrypted communications and then are prompted for the password or in the case of mysql, the ~/.my.cnf will send the password at the appropriate time.

As for other users... I don't understand the logic of forcing them to use a PHP program vs. a CLI. MySQL fully supports the notion of users/permissions/grants, etc. and their access should be controlled using the integrated ACL system of MySQL, not some artificial notion of security based on CLI vs. WebApp. If they have DB Admin privileges using a GUI, there's nothing that they can't do in the GUI that they could do in a CLI except that the CLI is likely more effective and efficient and reinforces good habits/practices.

Craig

More information about the CentOS mailing list