Store MySQL password in bash-script

Question

Need to create simple mysql-backup script.

But - how can I store encrypted pass of MySQL user in it?

I want to avoid store password in plaintext type in any additional files.

As I found in MySQL manual:

MySQL encrypts passwords stored in the user table using its own algorithm

So. there is no way to just get hash and set it as variable?

I mean:

DBHASH="cGFzc3dvcmQ="
DBPASS=`echo $DBHASH | openssl enc -base64 -d`

Is there any correct way to sovle it? Thanks for tips.

Answer 1

It doesn't matter if the script contains a plaintext password or not if it includes a repeatable routine for getting into MySQL (i.e. automatically decrypting) - an attacker would just do the same. If you could pass the hash/decrypted password and have MySQL compare it would be just as repeatable (and the hash would function as a password anyway).

So, the easy answer is: You can't do this. You have some options...

• Set up a correctly chmoded (600) ~/.my.cnf with the credentials.
• Create a 'restricted', password-less backup-account that is only allowed to log in from localhost.
• Only allow backup logins from localhost/backup host in either case.
• If you're on Debian you could use the debian-sys-maint account (which has a my.cnf already set up with credentials)
• Restrict the mysql account and include the password in the script plain text, but only allow given user/root to read script (if you have root you can take over mysql anyway).
• Read/'source' the config variables (username/password) from an external file (with correct chmod - 600)...but you're basically doing the my.cnf-thing by then.

Remember a "backup account" does not need write privileges etc...