mysqldump script without hardcode password

bulkbiz · December 20, 2008, 8:58am

OS: Linux ambglx02 2.6.16.60-0.21-default #1 Tue May 6 12:41:02 UTC 2008 i686 i686 i386 GNU/Linux
Shell: bash

Currently I have a mysqldump script to backup my mysql database, the command is as below:

/opt/novell/mysql/bin/mysqldump --add-drop-table -u root -p[password] -h [hostname] mydb > /home/john/mydb.sql

I need to create a script without hardcoding the password, any idea how to achieve this?

FYI, I will need to put the script into crontab to do scheduling.

bulkbiz · December 20, 2008, 8:44pm

No one can help?

frank_rizzo · December 20, 2008, 11:17pm

setup a .my.cnf file. see the documentation for details.

bulkbiz · December 21, 2008, 12:59am

but this require me to hardcode my password in the my.cnf, it makes no difference for me, I can't hard code all password. IT Auditors will never allow that.

frank_rizzo · December 21, 2008, 1:08am

I don't think you can get around it. This is much better then using the password on the command line. The file would be protected so only the mysql user and root could read it. It is not uncommon for applications to hard code passwords.

having said that, you might be able to setup a user with no password, but only allow connections via localhost. This might help your embedded password issue but now anyone who can run things locally can get root on the database without a password.

meharo · December 21, 2008, 5:16am

hi bulkbiz,

Actually it is possible to hardcode a password inside shell script and hide it from casual viewers (not advanced viewers).

Either use,

gzexe - compress executable files in place

Find more at "man gzexe". It is just gziping your shell script and creates another shell wrapper to automatically gunzip and execute when somebody calls it. Beware of this if you uncompress this program, it is pretty easy to read the contents. Simply more useful to compress and save disk space.

or

shc - Generic shell script compiler

Download shc for you distribution and install it. This small program first encrypts your shell script using RC4 algorithm and then creates a binary executable file which can decrypt the program into memory at runtime. Go through "man shc" for additional options. The biggest disadvantage of this utility is it stores the encryption key also inside the same binary which allow us to decrypt and read it. Also read this article how to beat shc Paranoid Penguin - Limitations of shc, a Shell Encryption Utility | Linux Journal