将MySQL密码存储在bash脚本中
[英]Store MySQL password in bash-script
问题描述
Need to create simple mysql-backup script. 
需要创建简单的mysql-backup脚本。
But - how can I store encrypted pass of MySQL user in it? 但是 - 如何在其中存储MySQL用户的加密传递?
I want to avoid store password in plaintext type in any additional files. 我想避免在任何其他文件中以明文类型存储密码。
As I found in MySQL manual: 正如我在MySQL手册中找到的:
MySQL encrypts passwords stored in the user table using its own algorithm
So. 所以。 there is no way to just get hash and set it as variable? 有没有办法只获取hash并将其设置为变量?
I mean: 我的意思是:
DBHASH="cGFzc3dvcmQ="
DBPASS=`echo $DBHASH | openssl enc -base64 -d`
Is there any correct way to sovle it? 有没有正确的方法来解决它? Thanks for tips. 谢谢你的提示。
2 个解决方案
解决方案1
7 已采纳 2013-12-09 15:30:45
It doesn't matter if the script contains a plaintext password or not if it includes a repeatable routine for getting into MySQL (ie automatically decrypting) - an attacker would just do the same. 如果脚本包含一个明文密码,如果它包含一个可重复的进入MySQL的例程(即自动解密)并不重要 - 攻击者也会这样做。 If you could pass the hash/decrypted password and have MySQL compare it would be just as repeatable (and the hash would function as a password anyway). 如果您可以传递散列/解密密码并进行MySQL比较,那么它就是可重复的(无论如何散列都将起到密码的作用)。
So, the easy answer is: You can't do this. 所以,简单的答案是:你不能这样做。 You have some options... 你有一些选择......
- Set up a correctly chmoded (600) ~/.my.cnf with the credentials. 使用凭据设置正确的chmoded(600) 〜/ .my.cnf 。
- Create a 'restricted', password-less backup-account that is only allowed to log in from localhost. 创建一个“受限制的”无密码备份帐户,只允许从localhost登录。
- Only allow backup logins from localhost/backup host in either case. 在任何一种情况下,只允许来自localhost / backup host的备份登录。
- If you're on Debian you could use the debian-sys-maint account (which has a my.cnf already set up with credentials) 如果您使用的是Debian,则可以使用debian-sys-maint帐户(已经设置了my.cnf凭证)
- Restrict the mysql account and include the password in the script plain text, but only allow given user/root to read script (if you have root you can take over mysql anyway). 限制mysql帐户并在脚本纯文本中包含密码,但只允许给定的用户/ root读取脚本(如果你有root,你可以接管mysql)。
- Read/'source' the config variables (username/password) from an external file (with correct chmod - 600)...but you're basically doing the my.cnf -thing by then. 从外部文件中读取/'源'配置变量(用户名/密码)(正确的chmod - 600)...但是你基本上是在做my.cnf -thing。
Remember a "backup account" does not need write privileges etc... 请记住,“备份帐户”不需要写权限等...
解决方案2
2 2013-12-09 13:51:48
afaict, there's no way to do what you're looking for. afaict,没有办法做你想要的。 Whether you store the hash or the original password, you will anyway store very sensible information that might be evil used if someone gets read access to your script. 无论您是存储哈希值还是原始密码,无论如何都会存储非常合理的信息,如果有人获得对您脚本的读取权限,则可能会使用这些信息。
What you may prefer, is instead setup up an user account that can't login, and setup up mysql so that user has the exact permissions for your script. 您可能更喜欢的是设置一个无法登录的用户帐户,并设置mysql以便用户拥有您的脚本的确切权限。 And also make it so that this user is the only one having exec access to the script. 并且还使得该用户是唯一具有exec访问权限的用户。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.