5

Need to create simple mysql-backup script.

But - how can I store encrypted pass of MySQL user in it?

I want to avoid store password in plaintext type in any additional files.

As I found in MySQL manual:

MySQL encrypts passwords stored in the user table using its own algorithm

So. there is no way to just get hash and set it as variable?

I mean:

DBHASH="cGFzc3dvcmQ="
DBPASS=`echo $DBHASH | openssl enc -base64 -d`

Is there any correct way to sovle it? Thanks for tips.

Improve this question

2 Answers 2

Reset to default
7

It doesn't matter if the script contains a plaintext password or not if it includes a repeatable routine for getting into MySQL (i.e. automatically decrypting) - an attacker would just do the same. If you could pass the hash/decrypted password and have MySQL compare it would be just as repeatable (and the hash would function as a password anyway).

So, the easy answer is: You can't do this. You have some options...

  • Set up a correctly chmoded (600) ~/.my.cnf with the credentials.
  • Create a 'restricted', password-less backup-account that is only allowed to log in from localhost.
  • Only allow backup logins from localhost/backup host in either case.
  • If you're on Debian you could use the debian-sys-maint account (which has a my.cnf already set up with credentials)
  • Restrict the mysql account and include the password in the script plain text, but only allow given user/root to read script (if you have root you can take over mysql anyway).
  • Read/'source' the config variables (username/password) from an external file (with correct chmod - 600)...but you're basically doing the my.cnf-thing by then.

Remember a "backup account" does not need write privileges etc...

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Well, sure - it is not exactly what I want, but - seems there is no other way to realize... Thanks.
2

afaict, there's no way to do what you're looking for. Whether you store the hash or the original password, you will anyway store very sensible information that might be evil used if someone gets read access to your script.

What you may prefer, is instead setup up an user account that can't login, and setup up mysql so that user has the exact permissions for your script. And also make it so that this user is the only one having exec access to the script.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.