Running mysql dump in a cron job without exposing passwords
Hire the world's top talent on demand or became one of them at Toptal: https://topt.al/25cXVn
and get $2,000 discount on your first invoice
--------------------------------------------------
Take control of your privacy with Proton's trusted, Swiss-based, secure services.
Choose what you need and safeguard your digital life:
Mail: https://go.getproton.me/SH1CU
VPN: https://go.getproton.me/SH1DI
Password Manager: https://go.getproton.me/SH1DJ
Drive: https://go.getproton.me/SH1CT
Music by Eric Matyas
https://www.soundimage.org
Track title: Fantascape Looping
--
Chapters
00:00 Running Mysql Dump In A Cron Job Without Exposing Passwords
00:24 Answer 1 Score 0
00:52 Answer 2 Score 4
01:22 Accepted Answer Score 15
02:33 Answer 4 Score 0
02:49 Thank you
--
Full question
https://superuser.com/questions/490521/r...
--
Content licensed under CC BY-SA
https://meta.stackexchange.com/help/lice...
--
Tags
#security #cron
#avk47
ACCEPTED ANSWER
Score 15
As stated in man mysqldump: see 6.1.2.1. End-User Guidelines for Password Security in the MySQL reference manual.
An option file is the safest bet, not least according to the above reference. Giving it in plaintext in crontab is not good, not least since the process command line by default is visible through ps for other users. The same actually applies for environment variables as explained in the reference.
Relevant portion of the MySQL reference manual:
Store your password in an option file. For example, on Unix, you can list your password in the
[client]section of the.my.cnffile in your home directory:[client] password=your_passTo keep the password safe, the file should not be accessible to anyone but yourself. To ensure this, set the file access mode to
400or600. For example:shell> chmod 600 .my.cnfTo name from the command line a specific option file containing the password, use the
--defaults-file=file_nameoption, wherefile_nameis the full path name to the file. For example:shell> mysql --defaults-file=/home/francis/mysql-optsSection 4.2.3.3, “Using Option Files”, discusses option files in more detail.
Also see https://stackoverflow.com/q/10725209.
ANSWER 2
Score 4
Run the cronjob as a specific user and use some simple Bash logic to extract the password from a plaintext file stored somewhere on the system with permissions that only allow the user (or perhaps group) to access it.
PASS=`cat /path/to/pwdfile`
mysqldump -u aUser -p $PASS--all-databases > backup.sql
So if the cronjob runs as user 'example', the ownership of the file should be "example:example" and permissioned 0400.
You can also achieve a similar function using a user-level .my.cnf.
ANSWER 3
Score 0
Anyone with access to the machine has the same level of access to /var/spool/cron/crontabs/ as to /var/lib/mysql you allow them to have. So, set the proper permissions on the directories and done. Anyone with root-access has direct access to the database files directly. Anyone you do not trust to have access to the machine should not have access at all to the machine.
Usually folks only see their own cronjobs via crontab -l.
ANSWER 4
Score 0
For backup purposes, consider having a read-only user in mysql, like so
CREATE USER bUser IDENTIFIED BY 'p4ss';
GRANT SELECT ON *.* TO bUser@localhost;
GRANT LOCK TABLES ON *.* TO bUser@localhost;
mysqldump requires only SELECT and LOCK TABLES privileges to do its job.