未加星标

Use MySQL Shell Securely from Bash

字体大小 | |
[数据库(mysql) 所属分类 数据库(mysql) | 发布者 店小二05 | 时间 2016 | 作者 红领巾 ] 0人收藏点击收藏

Use MySQL Shell Securely from Bash
This blog post discusses how to use mysql shell securely from Bash.

The Bourne shell is everywhere. It is part of the most basic linux install. You will find it on the biggest SPARC machines down to a Raspberry Pi. It is nice to know it will always be there. Unlike other, more complex scripting environments such as Perl and python, it doesn’t require any additional dependencies to be installed.

Anyone that hasautomated a MySQL task using a Bourne shell such as Bash will be familiar with the following message:

Warning: Using a passwordonthecommand lineinterface canbeinsecure.

This semi-ominous warning describes a security flaw in passing credentials on a process command line. Any unprivileged user on the system can use a command like ps aux to find these credentials. While the MySQLshell has added some additional protections to hide these credentials, other information such as database user names, host names, ports and sockets can still be determined by process scanning.

The recommended approach to get around this warning is to use a configuration file to store these credentials. However, in the case of a self-contained script,we may not want to require the user to create a credential file. Itwould need to bemaintained, and might interfere with other tools that use the MySQL shell. Forcreating automated tools in the PerconaDevelopment Services department, I came up with a couple of methods for integrating the MySQL shell into Bash(or any other Bourne Shell) securely.

This first script demonstrates the shell function mysql_exec() . This is for use withsmall queries that are normally passed to the MySQL shell via the -e parameter.

#!/bin/sh # call mysql client from shell script without # passing credentials on command line # This demonstrates small single queries using # the -e parameter. Credentials and connection # info are sent through standard input. # david . bennett @ percona . com - 9/24/2016 mysql_user=root mysql_password=password mysql_host=127.0.0.1 mysql_port=3306 mysql_database=test mysql_exec() { localquery="$1" localopts="$2" mysql_exec_result=$( printf "%s\n" \ "[client]" \ "user=${mysql_user}" \ "password=${mysql_password}" \ "host=${mysql_host}" \ "port=${mysql_port}" \ "database=${mysql_database}" \ | mysql --defaults-file=/dev/stdin "${opts}" -e "${query}" ) } mysql_exec "select 'Hello World' as Message" echo "${mysql_exec_result}" The above script allows the specification of credentials and connection information via variables in the script. As with any other shell script, these can be moved into a configuration file and secured with chown/chmod , then included with the source or . command. The mysql_exec() function creates a default my.cnf [client] on the fly and passes it to the MySQL shell via defaults-file=/dev/stdin . The configuration is never written to disk, which makes this method a bit more secure.

Sometimes, you need to process too many queries to pass on the command line. In this case, there is another technique for passing the credentials.

mysql_exec_from_file() { localquery_file="$1" localopts="$2" localtmpcnf="$(mktemp)" chmod 600 "${tmpcnf}" printf "%sn" "[client]" "user=${mysql_user}" "password=${mysql_password}" "host=${mysql_host}" "port=${mysql_port}" "database=${mysql_database}" > "${tmpcnf}" mysql_exec_from_file_result=$( mysql --defaults-file="${tmpcnf}" "$opts" < "${query_file}" ) rm "${tmpcnf}" }

This technique uses a temporary file, which allows the queries to be passed from a file or input device. Restrictivepermissions are set on the file before the configuration is written. The temporary configuration is removed immediately after the shell exits.

While other languages mayoffer cleaner ways to access your MySQL database, you’ll always know that you’ll be able to execute your shell-based MySQL job scripts across all of the Unix machines in your enterprise.

You can download these scripts directly from my github account.

Happy scripting!

本文数据库(mysql)相关术语:navicat for mysql mysql workbench mysql数据库 mysql 存储过程 mysql安装图解 mysql教程 mysql 管理工具

主题: MySQLSQLRaspberry PiPerlLinuxPython
分页:12
转载请注明
本文标题:Use MySQL Shell Securely from Bash
本站链接:http://www.codesec.net/view/480207.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 数据库(mysql) | 评论(0) | 阅读(47)