I just noticed that some CentOS 4 or 5 machine that I don't admin but have root access to hides MySQL passwords from ps: Console 1: $ mysql -u root -pSECRET mysql > Console2: # ps aux root 32165 0.0 0.1 109408 2204 pts/1 Ss+ 11:19 0:00 mysql -u root -px xxxxxxxxxxxxxxxxxx That is really nice, is it a MySQL feature or a CentOS feature? I have some other servers that I _do_ admin and I'd like to enable this. Thanks! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com
On Sun, 2011-09-11 at 19:32 +0300, Dotan Cohen wrote:> I just noticed that some CentOS 4 or 5 machine that I don't admin but > have root access to hides MySQL passwords from ps: > > Console 1: > $ mysql -u root -pSECRET > mysql > > > Console2: > # ps aux > root 32165 0.0 0.1 109408 2204 pts/1 Ss+ 11:19 0:00 mysql > -u root -px xxxxxxxxxxxxxxxxxx > > That is really nice, is it a MySQL feature or a CentOS feature? I have > some other servers that I _do_ admin and I'd like to enable this.---- you'd still have it in bash_history though so it's really a poor idea to ever pass a significant password directly on the command line execution - whether visible or not visible to ps. Much better is to be prompted for the password instead... mysql mysql -u root -p and it will prompt another option is to have ~/.my.cnf which already has your password Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Getting back to the original question, it is a feature of mysql (not of CentOS per se), but there's nothing that stops other (C) programs from doing something similar. Shortly after startup, a programmer can set things up so that command line arguments (or in this case one of them) is hidden from anyone from viewing the process table. However, even using this mechanism there is a window where, if someone looks at the process table at the right time, they will see the password in cleartext. So, despite the mysql programmers trying to minimize the chance of leaking the password it is still a risk and so the advice others have given about -p (without the password) and .my.cnf is still the best option. Devin -- If swimming is so good for your figure, how do you explain whales?