Don't use exec. ;-v
Or, perhaps, write a shell script that reads the password and provides
it to MySQL somehow without invoking another exec of some kind.
You also could look into other MySQL authentication mechanisms such as
SSL keys and whatnot -- which I only vaguely recall seeing somewhere
in the MySQL docs.
That might still end up with a PHP/world readable file that has a
private key in it, but at least it requires the Bad Guy to take one
more step to read said file.
On Wed, November 29, 2006 6:10 am, Jochem Maas wrote:
> I have been using exec() for a number of things recently - one of the
> things
> I'm using it for it to run mysql in order to import SQL scripts
>
> so I have some code that looks like:
>
> // build the cmdline
> $cmd = sprintf('mysql -h %s --user=%s --password=`cat %s` -D %s <
> "%s" 2>&1',
> MYSQL_SERVER, MYSQL_ROOT_USER, $rootPasswdFile,
> $data['db_name']['value'], $file);
>
> // run the mysql command via the cmdline
> $output = array(); $exit = 0;
> @exec($cmd, $output, $exit);
>
> everything works. but there is a security issue - one that I thought I
> had
> specifically tackled.
>
> the security issue occurs due to the fact that the process list (this
> is
> just linux I'm talking about) will show the complete command line,
> which in
> my case would look something like (in the processlist):
>
>
> mysql -h localhost --user=admin --password=`cat
> /my/sql/root/passwd/file` -D somedb < "/my/import/script.sql" 2>&1
>
>
> AH I hear you say but the wily use of "`cat /my/sql/root/passwd/file`"
> masks the actual
> password from any looking in the process list. indeed undeer normal
> shell scripting circumstances
> that may have been true.
>
> BUT in using php's exec() to run the cmdline causes the following to
> show up in the processlist:
>
>
> sh -c mysql -h localhost --user=admin --password=`cat
> /my/sql/root/passwd/file` -D somedb < "/my/import/script.sql" 2>&1
>
>
> AND that [sub]shell then lists it's process[s] in the list also, there
> is only one
> and it is this:
>
>
> mysql -h localhost --user=admin --password=MYFINGPWD -D somedb
>
>
> does anyone have an idea how to over come this security issue (without
> resorting to having to
> type in the mysql admin passwd interactively!)
>
> thanks & regards,
> Jochem
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
