12

I've got a few BASH tools that use the mysql -e "{command}" function. Entering the password every time I use these tools would be a pain, so, to avoid having the password written in a plaintext file with the code, I store it in memory (using read -s) and have BASH read it whenever it runs the commands.

Mysql still thinks the password is being submitted through command line (because, in a manner of speaking, it is), and still gives me the error "Using a password on the command line interface can be insecure."

For my purposes, I don't need to suppress this message. What I need to know is, what is it that could make it insecure? The password is never physically visible, so shoulder-surfing couldn't do it and even someone that guessed my SSH password wouldn't be able to do it since it's stored in memory rather than in scripts themselves. Is a man-in-the-middle attack or something similar possible?

Andrew
  • 223
  • 2
  • 6
  • 8
    Put it in `~/.my.cnf` [Example](https://easyengine.io/tutorials/mysql/mycnf-preference/) You can specify per host by doing `[client]` e.g. `[clientlocalhost]` MySQL tools will use it automatically so it is easier and safer – AmazingDreams Jul 14 '17 at 10:22
  • How do you have `bash` read it when you run the command? If you do `mysql -p"$pass"` then anyone can see it in `ps`. – Barmar Jul 18 '17 at 18:42

1 Answers1

26

Anyone who can see your environment variables (including programs you run) can see the password. And anyone that can view your processes can see the command line used to run them, including the parameters.

So for a box that solely you log in to, the risk is probably insignificant. But for a targeted attack on you personally, this is a trivial attack vector in the grand scheme of things.

longneck
  • 23,082
  • 4
  • 52
  • 86
  • 22
    As well as someone viewing your `~/.history`, etc – ivanivan Jul 13 '17 at 20:56
  • Not to mention HTOP and similar top-like utilities before these were masked. A lot of scripts also did not use environmental variables $PASS etc. on the basis that the user was read only or lacked permissions. On a single user standalone it might not seem to matter. – mckenzm Jul 14 '17 at 06:16
  • 1
    Where does the question say anything about environment variables? Shell variables are not put in the environment unless you export them. – Barmar Jul 18 '17 at 18:42