I have been using exec() for a number of things recently - one of the things
I'm using it for it to run mysql in order to import SQL scripts
so I have some code that looks like:
// build the cmdline
$cmd = sprintf('mysql -h %s --user=%s --password=`cat %s` -D %s < "%s" 2>&1',
MYSQL_SERVER, MYSQL_ROOT_USER, $rootPasswdFile,
$data['db_name']['value'], $file);
// run the mysql command via the cmdline
$output = array(); $exit = 0;
@exec($cmd, $output, $exit);
everything works. but there is a security issue - one that I thought I had
specifically tackled.
the security issue occurs due to the fact that the process list (this is
just linux I'm talking about) will show the complete command line, which in
my case would look something like (in the processlist):
mysql -h localhost --user=admin --password=`cat /my/sql/root/passwd/file` -D somedb < "/my/import/script.sql" 2>&1
AH I hear you say but the wily use of "`cat /my/sql/root/passwd/file`" masks the actual
password from any looking in the process list. indeed undeer normal shell scripting circumstances
that may have been true.
BUT in using php's exec() to run the cmdline causes the following to show up in the processlist:
sh -c mysql -h localhost --user=admin --password=`cat /my/sql/root/passwd/file` -D somedb < "/my/import/script.sql" 2>&1
AND that [sub]shell then lists it's process[s] in the list also, there is only one
and it is this:
mysql -h localhost --user=admin --password=MYFINGPWD -D somedb
does anyone have an idea how to over come this security issue (without resorting to having to
type in the mysql admin passwd interactively!)
thanks & regards,
Jochem
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
