MySQL Forums
Forum List  »  Security

Re: MYSQL_PWD env variable precedence
Posted by: Georgi Kodinov
Date: May 10, 2019 01:22AM

Eduardo,

I suggest you read through https://dev.mysql.com/doc/refman/8.0/en/password-security-user.html.

MYSQL_PWD is considered to be even less secure than passwords-on-the-command-line, as all programs that run in your session can access that. Or even all local users of the operating system in some cases.

I suggest that you take a long hard look at why do you need to specify passwords on the command line to begin with. This is what this warning is trying to provoke.

If you're using e.g. shell scripts to access your database you might want to consider using https://dev.mysql.com/doc/refman/8.0/en/mysql-config-editor.html and store your "login paths" (including a password) in a single controlled location.

Ideally for unattended logins you should consider different authentication methods like e.g. X509 certificate verification (see https://dev.mysql.com/doc/refman/8.0/en/create-user.html, the "CREATE USER SSL/TLS Options" section) or unix socket authentication (https://dev.mysql.com/doc/refman/8.0/en/socket-pluggable-authentication.html) if possible. Both of these will not require a password as they autnenticate you via other means (something you have or your OS session).

If none of this is an option then you can of course just restrict the user account you're logging in to a particular host in your network and accept passwordless logins (since that's what you're doing effectively with putting your password in MYSQL_PWD environment variable, except that you're also revealing the kind of passwords you use with that).

Georgi "Joro" Kodinov
MySQL SrvGen team lead
Plovdiv, Bulgaria

Options: ReplyQuote


Subject
Views
Written By
Posted
Re: MYSQL_PWD env variable precedence
350
May 10, 2019 01:22AM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.