0

In addition to this question: Performing root mysql operations in bash scripts

I'd like to ask how to limit/allow this action (performing root administrative actions):

mysql --local-path=mypath -e "CREATE..."

to be used just in one bash script. Maybe it's better in this case to use:

mysql -u root -p'mypass'

I've set up separate user with root privileges (they are needed to create/drop any database), but this way this user accessible from any command line without password can mess around anything (the same if the user sees the hardcoded password).

Maybe it would be better to allow specific mysql user to access only specific mysql procedures/functions to create/drop databases and users?

Community
  • 1
Sfisioza
  • 592
  • 2
  • 8
  • 18
  • Yes you can create users with access to only a limited subset of (privileged) MySQL commands. That will typically be more secure than user accounts that have all privileges. Read [chapter 6](http://dev.mysql.com/doc/refman/5.7/en/security.html) of the manual and investigate the GRANT syntax. The alternative is a user with access to a single stored procedure and use the stored procedure to perform privileged actions. – HBruijn Oct 01 '14 at 14:10
  • Stored procedures seem to be a good idea, but wouldn't using DROP on any database in stored procedure require user to have DROP privilages as well? – Sfisioza Oct 02 '14 at 09:04
  • According to the [manual](http://dev.mysql.com/doc/refman/5.6/en/create-procedure.html) the security context of a stored procedure is either definer or evoker, i.e. *the routine executes using the privileges of the account named in the routine DEFINER clause or the user who invokes it.* I compare that to setting the SUID bit on an executable. – HBruijn Oct 02 '14 at 10:09

1 Answers1

0

Create a .my.cnf in a secure location, and populate it with the following:

[client]
password = "somepassword"

Then in your cron job call mysql like this:

mysql --defaults-extra-file=/localtion/to/.my.cnf -e "CREATE..."

GeoSword
  • 1,657
  • 12
  • 16
  • Isn't this the same as storing the password in my bash script? (assuming that the script is in the secure location?) – Sfisioza Oct 01 '14 at 11:49
  • Similar, But it still better than having the password in plain text directly in the script. – GeoSword Oct 01 '14 at 13:05