Re: hiding passwd in cmdlines that appear in the process list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi !.

I don't know if my solution is better or not. but in one of my programs i
had to make a backup online then my solution was to use shell vars to put
important information like db_password . When we use putenv function those
var only exists on the current shell and on its subshells. In your case the
following code :

<?php
 putenv("DBNAME=".DB_NAME);
 putenv("DBUSER=".DB_USER);
 putenv("DBPASSWD=".DB_PASSWD);

 system('mysql -h localhost --user=$DBUSER  --password=$DBPASSWD -D $DBNAME
< "/my/import/script.sql" 2>&1');

?>

On 11/30/06, Jochem Maas <jochem@xxxxxxxxxxxxx> wrote:

Richard Lynch wrote:
> Don't use exec. ;-v

yeah - which is annoying because outside of php/exec() using the `cat
/path/2/myqyl/passwd`
trick works (i.e. ps doesn't give the passwd away)

thanks to everyone for there input - I have plenty to read/think about,
I send something back to the list when i have decided upon and tested a
working solutions

thanks everyone!

>
> Or, perhaps, write a shell script that reads the password and provides
> it to MySQL somehow without invoking another exec of some kind.
>
> You also could look into other MySQL authentication mechanisms such as
> SSL keys and whatnot -- which I only vaguely recall seeing somewhere
> in the MySQL docs.
>
> That might still end up with a PHP/world readable file that has a
> private key in it, but at least it requires the Bad Guy to take one
> more step to read said file.
>
> On Wed, November 29, 2006 6:10 am, Jochem Maas wrote:
>> I have been using exec() for a number of things recently - one of the
>> things
>> I'm using it for it to run mysql in order to import SQL scripts
>>
>> so I have some code that looks like:
>>
>>     // build the cmdline
>>     $cmd = sprintf('mysql -h %s --user=%s --password=`cat %s` -D %s <
>> "%s" 2>&1',
>>                    MYSQL_SERVER, MYSQL_ROOT_USER, $rootPasswdFile,
>>                    $data['db_name']['value'], $file);
>>
>>     // run the mysql command via the cmdline
>>     $output = array(); $exit = 0;
>>     @exec($cmd, $output, $exit);
>>
>> everything works. but there is a security issue - one that I thought I
>> had
>> specifically tackled.
>>
>> the security issue occurs due to the fact that the process list (this
>> is
>> just linux I'm talking about) will show the complete command line,
>> which in
>> my case would look something like (in the processlist):
>>
>>
>> mysql -h localhost --user=admin --password=`cat
>> /my/sql/root/passwd/file` -D somedb < "/my/import/script.sql" 2>&1
>>
>>
>> AH I hear you say but the wily use of "`cat /my/sql/root/passwd/file`"
>> masks the actual
>> password from any looking in the process list. indeed undeer normal
>> shell scripting circumstances
>> that may have been true.
>>
>> BUT in using php's exec() to run the cmdline causes the following to
>> show up in the processlist:
>>
>>
>> sh -c mysql -h localhost --user=admin --password=`cat
>> /my/sql/root/passwd/file` -D somedb < "/my/import/script.sql" 2>&1
>>
>>
>> AND that [sub]shell then lists it's process[s] in the list also, there
>> is only one
>> and it is this:
>>
>>
>> mysql -h localhost --user=admin --password=MYFINGPWD -D somedb
>>
>>
>> does anyone have an idea how to over come this security issue (without
>> resorting to having to
>> type in the mysql admin passwd interactively!)
>>
>> thanks & regards,
>> Jochem
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>
>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux