Iam wondering, if it would be safe to put server variables as an environment variable in a ~/.bash_profile. Iam on a CentOS 6 shared host webserver. The passwords for the databases are currently available in .my.cnf and .my.mariadb.cnf. Would there be any security disadvantage, when I put them to .bash_profile as environment variables?
Asked
Active
Viewed 263 times
0
BilliMoon
- 3
- 1
-
1why not use mariadb pam auth module? if all 3 files have the same permission bit I don't see how they're more/less secure from each other. – Jacob Evans Jun 17 '17 at 09:37
1 Answers
2
As far as filesystem permissions are concerned, you should certainly make sure that your .bash_profile (and your other config with passwords) has mode 0600.
You should bear in mind that any processes you then run from bash will have these credentials set in their environment. That means that if, for example, you run something that dumps the environment to a log file for debugging then that file reveals your passwords. Depending on your use case it might be safer to have another file, say ~/passwords.sh that you can read with source ~/passwords.sh, or a shorter alias, when you know you need it.
As a general rule it's good to have plain-text passwords available in as few locations as possible.
James McDonald
- 71
- 3
-
I see that envVars are not a very good idea. originally my attempt was to use the var for short mysql shell commands like `mysql -h "localhost" -u "$MYSQL_USER" "-p$MYSQL_PASS" ...` Iam unsure how to achieve that now – BilliMoon Jun 17 '17 at 12:50
-
oh hell, is not necessary because mysql takes it itself from the my.cnf, to stupid easy – BilliMoon Jun 17 '17 at 12:58