This post follows Ronald Bradford’s More Basic MySQL Security, and Lenz Grimmer’s Basic MySQL Security: Providing passwords on the command line and More on MySQL password security.
In Ronald’s post I’ve argued that passwords provided on command line are visible in plaintext on “ps aux”. Lenz has argued that this is incorrect, providing the source code to support that. Giuseppe commenting that this has been fixed since 2002. Later on, Lenz shows that passwords are visible in plaintext on OpenSolaris, Solaris and variants of BSD and SysV.
Mental note: old habits die hard; I must remember to revisit issues from time to time.
Centralizing
Back to the question: why use a file to store your password, and not provide it on command line?
As in software programming, where you only define ‘magic numbers’ once, as some constant or parameter, thus able to change that value in one single place – instead of hunting for it throughout the code – placing the password in a config file helps in changing passwords.
Many utilities can use the config-file syntax: the various mysql clients, mytop, maatkit, others…
Instead of placing passwords in numerous scripts, crontabs etc., why not write it down in one single place, then let everyone look for it there? (Obviously don’t give out root password to everyone freely, just enough privileges as required).
How frequently does one change passwords? In my experience – not often. I suspect the reason being the overhead of verifying everyone got the change properly. For command line utilities, a config file may ease the burden.
You mean like in the “~/.my.cnf” file? 😉 … of course the permissions have to be set to “u+rw” (0600) so they don’t get published to the world.
@Gerry
Thanks. Yes, that was the discussion.