piping a password and security

Question

I sometimes do echo "secret" | mysql -u root -p .... Now I'm concerend about security here: can someone listing all processes see the password?

To check I tried with echo "test" | sleep 1000 and the echo command with the secret was not visible in the output of "ps aux". So I assume it's secure - but can a security expert confirm it please? :)

Can't see it in a process list when running an endless loop. Good question. — Tim, Dec 22 '11 at 18:42
In addition, don't forget that whatever you type on most shells will be stored in a history file somewhere (like `.history`). — Alexander Bird, Jan 04 '12 at 05:56

Ladadadada · Accepted Answer · 2011-12-22T19:10:01.103

The answer to this depends on which shell you are using. Many shells have echo as a builtin command meaning that it does not spawn a separate process and hence will not show up in a process listing. However, if you type /bin/echo or ./echo or if you disable the builtins with the enable -n echo command, then the shell will not use its builtin command and will use the binary version instead. This will show up in a process listing.

If you are using the binary rather than the shell builtin, the echo command will show up for as long as it takes to move the data into the other process's STDIN buffer. This buffer has a finite size so if there is more data than will fit in the buffer, the echo command will have to hang around for a while until the other process can read some of the data out of the buffer. For most cases (such as the two examples you gave above) this time period will be microseconds. If you happen to be pasting a 20MB SQL dump into MySQL using echo, this could be longer. No matter how short the time is, if you are using the binary instead of the shell builtin and someone happens to get the timing just right, they will be able to see the process in the process list.

You can avoid this by putting the secret data into a file (with appropriate permissions) and using the file as STDIN like this:

mysql -u root -p < file_with_secret.sql

Keep in mind that by typing the password on the command line like that it is most likely being saved into your shell's history file, so it is worth checking the history file permission and contents. — aculich, Dec 22 '11 at 19:44

score 3 · Answer 2 · answered Dec 22 '11 at 19:19

3

For the mysql case ~/.my.cnf can be used to store secrets, ie

[client]
user = DBUSERNAME
password = DBPASSWORD
host = DBSERVER

[mysql]
database = DBNAME

answered Dec 22 '11 at 19:19

becomingwisest

3,328
20
18

score 1 · Answer 3 · answered Dec 22 '11 at 19:22

1

Just use

mysql -uroot -p

and hit enter. You will then be prompted for the password and it will not be visible in either the process list or the history files.

answered Dec 22 '11 at 19:22

jdw

3,855
2
17
21

Data accepted on STDIN by MySQL is the command(s) to be run once you have logged in. The "secret" in the question is not the password. – Ladadadada Dec 22 '11 at 19:25

score 0 · Answer 4 · answered Feb 25 '21 at 05:03

0

passing passwords via command line arguments is always not recommended, try at least stdin or fifo, such as:

mysql -p <<END
$password
END

this way the $password will not be exposed to history or ps aux

answered Feb 25 '21 at 05:03

James Z.M. Gao

101

score 0 · Answer 5 · answered Jun 19 '22 at 17:29

If by "secure" you mean "not visible in the output of ps", then yes, it is secure. But don't forget that other processes that share the UID with the running mysql client (or those running with root privileges, obviously) can access its STDIN. To use your echo/sleep example:

sh-5.1$ echo "test" | sleep 1000 &
[1] 3960020
sh-5.1$ cat /proc/3960020/fd/0
test

The above is Linux specific, and relies on procfs.

piping a password and security

5 Answers5