Re: hiding passwd in cmdlines that appear in the process list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



bruce wrote:
> hi jochem...
> 
> if no one provides you with a solution.. you might replicate what's already
> been done in one of the php/mysql/web admin apps. given that these apps
> already manage the mysql functions, so i'm willing to bet that some of them
> have resolved this issue...

they don't have the issue because they don't use exec() to call mysql via the
command line.

and I'm rather hoping not to have to replicate squillions of lines of code
to safely parse and execute an abitrarily complex SQL script in order to
circumvent an annoyance with exec()

my problem is nothing to do with mysql as such - it's a case of wanting
to stop passwords that need to be given in cmdline (like you do when you run mysql)
being visible in the process list (ps -ef) ... I thought I had the answer
but found I was actuallt being given the bird by a subshell :-).

> 
> 
> 
> -----Original Message-----
> From: Jochem Maas [mailto:jochem@xxxxxxxxxxxxx]
> Sent: Wednesday, November 29, 2006 4:10 AM
> To: [php] PHP General List
> Subject:  hiding passwd in cmdlines that appear in the process list
> 
> 
> I have been using exec() for a number of things recently - one of the things
> I'm using it for it to run mysql in order to import SQL scripts
> 
> so I have some code that looks like:
> 
>     // build the cmdline
>     $cmd = sprintf('mysql -h %s --user=%s --password=`cat %s` -D %s < "%s"
> 2>&1',
>                    MYSQL_SERVER, MYSQL_ROOT_USER, $rootPasswdFile,
>                    $data['db_name']['value'], $file);
> 
>     // run the mysql command via the cmdline
>     $output = array(); $exit = 0;
>     @exec($cmd, $output, $exit);
> 
> everything works. but there is a security issue - one that I thought I had
> specifically tackled.
> 
> the security issue occurs due to the fact that the process list (this is
> just linux I'm talking about) will show the complete command line, which in
> my case would look something like (in the processlist):
> 
> 
> mysql -h localhost --user=admin --password=`cat /my/sql/root/passwd/file` -D
> somedb < "/my/import/script.sql" 2>&1
> 
> 
> AH I hear you say but the wily use of "`cat /my/sql/root/passwd/file`" masks
> the actual
> password from any looking in the process list. indeed undeer normal shell
> scripting circumstances
> that may have been true.
> 
> BUT in using php's exec() to run the cmdline causes the following to show up
> in the processlist:
> 
> 
> sh -c mysql -h localhost --user=admin --password=`cat
> /my/sql/root/passwd/file` -D somedb < "/my/import/script.sql" 2>&1
> 
> 
> AND that [sub]shell then lists it's process[s] in the list also, there is
> only one
> and it is this:
> 
> 
> mysql -h localhost --user=admin --password=MYFINGPWD -D somedb
> 
> 
> does anyone have an idea how to over come this security issue (without
> resorting to having to
> type in the mysql admin passwd interactively!)
> 
> thanks & regards,
> Jochem
> 
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux