10

I am writing a bash script (for a cron job) that uses mysql:

mysql -uusername -ppassword -e 'something;'

I am looking for a good way to keep the password handy for use in the script, but in a manner that will also keep this information secure from other users on that system. Users who could use ps -ef and users who might read text files...

So how can I safeguard passwords that will be used in an automated script on Linux?

Improve this question

3 Answers 3

Reset to default
17

Put all the settings in an option file. You can use your default ~/.my.cnf file, or you can specify an alternate file using --defaults-file==filename. See the documentation 4.2.3.4. Command-Line Options that Affect Option-File Handling

The option file contains default settings for mysql commands. You can put the following in it, for example.

[mysql]
user=username
password=password
database=yourdb

Make the option file readable only by you, so other users can't see your password.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Yes i read that answer before - but i don't understand - what is an option file?
See the example in the answer.
Better Question: How does storing it in this "option file" differ from just storing it in an txt file just readable for me?
Since you can store multiple options in the file, it's simpler since you don't have to write all the scripting to set several different shell variables from the file.
Found my answer after some googling now - mysql reads the login from this file by default and if I write it in this file I don't need username and password to log in to mysql - so I don't have to read password and username from this .my.conf file for my script but can just use mysql without an login. Why didn't you just say?
|
11

This is an updated answer for users of MySQL 5.6.6+

As documented in 4.6.6 mysql_config_editor — MySQL Configuration Utility, there is now a more secure way to store mySQL passwords, that does not store clear text passwords in a local configuration file.

The mysql_config_editor utility (available as of MySQL 5.6.6) enables you to store authentication credentials in an encrypted login path file named .mylogin.cnf. The file location is the %APPDATA%\MySQL directory on Windows and the current user's home directory on non-Windows systems. The file can be read later by MySQL client programs to obtain authentication credentials for connecting to MySQL Server.

This file can be created by running the following command:

mysql_config_editor set --login-path=client  --host=localhost --user=root --password

You can print the existing settings with the following command:

mysql_config_editor print --login-path=client

This will output the current settings:

[client]
user = root
password = *****
host = localhost

Notice the password is encrypted by default.

Improve this answer

Comments

4

create a file ~/.my.cnf in the home directory of the user running the cron job. make sure is not readable by other users ( chmod 600 ~/.my.cnf )

[client]
user=username
password=something
Improve this answer

1 Comment

Thank you for your answer - as they are the same answers this is also helpful but i can't mark both. :-)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.