Re: [PHP] hiding passwd in cmdlines that appear in the process list

Edwin Barrios wrote:
Hi !.

I don't know if my solution is better or not.

neither do I! but I'm certainly going to give the alternative a go and see
what exsact it shows in the process list.

thanks for the tip!

but in one of my programs i
had to make a backup online then my solution was to use shell vars to put
important information like db_password . When we use putenv function those
var only exists on the current shell and on its subshells. In your case the
following code :

<?php
putenv("DBNAME=".DB_NAME);
putenv("DBUSER=".DB_USER);
putenv("DBPASSWD=".DB_PASSWD);

system('mysql -h localhost --user=$DBUSER --password=$DBPASSWD -D $DBNAME
< "/my/import/script.sql" 2>&1');

?>

On 11/30/06, Jochem Maas <jochem@xxxxxxxxxxxxx> wrote:

Richard Lynch wrote:
Don't use exec. ;-v

yeah - which is annoying because outside of php/exec() using the `cat
/path/2/myqyl/passwd`
trick works (i.e. ps doesn't give the passwd away)

thanks to everyone for there input - I have plenty to read/think about,
I send something back to the list when i have decided upon and tested a
working solutions

thanks everyone!


Or, perhaps, write a shell script that reads the password and provides
it to MySQL somehow without invoking another exec of some kind.

You also could look into other MySQL authentication mechanisms such as
SSL keys and whatnot -- which I only vaguely recall seeing somewhere
in the MySQL docs.

That might still end up with a PHP/world readable file that has a
private key in it, but at least it requires the Bad Guy to take one
more step to read said file.

On Wed, November 29, 2006 6:10 am, Jochem Maas wrote:
I have been using exec() for a number of things recently - one of the
things
I'm using it for it to run mysql in order to import SQL scripts

so I have some code that looks like:

// build the cmdline
$cmd = sprintf('mysql -h %s --user=%s --password=`cat %s` -D %s <
"%s" 2>&1',
MYSQL_SERVER, MYSQL_ROOT_USER, $rootPasswdFile,
$data['db_name']['value'], $file);

// run the mysql command via the cmdline
$output = array(); $exit = 0;
@exec($cmd, $output, $exit);

everything works. but there is a security issue - one that I thought I
had
specifically tackled.

the security issue occurs due to the fact that the process list (this
is
just linux I'm talking about) will show the complete command line,
which in
my case would look something like (in the processlist):


mysql -h localhost --user=admin --password=`cat
/my/sql/root/passwd/file` -D somedb < "/my/import/script.sql" 2>&1


AH I hear you say but the wily use of "`cat /my/sql/root/passwd/file`"
masks the actual
password from any looking in the process list. indeed undeer normal
shell scripting circumstances
that may have been true.

BUT in using php's exec() to run the cmdline causes the following to
show up in the processlist:


sh -c mysql -h localhost --user=admin --password=`cat
/my/sql/root/passwd/file` -D somedb < "/my/import/script.sql" 2>&1


AND that [sub]shell then lists it's process[s] in the list also, there
is only one
and it is this:


mysql -h localhost --user=admin --password=MYFINGPWD -D somedb


does anyone have an idea how to over come this security issue (without
resorting to having to
type in the mysql admin passwd interactively!)

thanks & regards,
Jochem

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php





--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



.

Relevant Pages