Lenz Grimmer's blog

Reading through the comments in Ronald's second post about More Basic MySQL Security, I noticed that there seems to be a misunderstanding about the implications of providing passwords to the mysql command line client via the "-p" option:

Jaka Jančar wrote:

What’s more insecure is passing password as an argument to MySQL, like you’ve written (-p[password]), since that can really be seen by anyone.

Shlomi Noach wrote:

While Linux security is often considered good, an astonishing weakness is “ps aux”, where every user can see every process running. Therefore, even user “games” can see that user root is running “mysql -pmypassword”. I find this a much higher risk than putting the MySQL’s root password in file, where a user need to gain access to machine’s “root”

Well, this isn't actually the case! Try it for yourself and start the MySQL command line client by providing a users's password via the "-p" option:

$ mysql -u root -p<somepassword>
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.1.34 SUSE MySQL RPM

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

root@localhost:(none) >

Now, open a second shell and check the process list:

$ ps aux | grep "mysql -u"
lenz     19357  0.0  0.0   7868  2884 pts/4    S+   12:30   0:00 mysql -u root -px xxxxx

As you can see, the password has been obfuscated by replacing the password with "x" characters. This action is performed by the mysql client after parsing the -p option — let's take a look at the sources:

  case 'p':
    if (argument == disabled_my_option)
      argument= (char*) "";     // Don't require password
    if (argument)
    {
      char *start= argument;
      my_free(opt_password, MYF(MY_ALLOW_ZERO_PTR));
      opt_password= my_strdup(argument, MYF(MY_FAE));
      while (*argument) *argument++= 'x';   // Destroy argument
      if (*start)
  start[1]=0 ;
      tty_password= 0;
    }

In theory, there is a very short window in which the password can be seen in plaintext (after the mysql process has started up until it has performed the obfuscation), but capturing this information takes really good timing.

But it's of course true that this information also gets stored in the user's shell history file, e.g. ~/.bash_history, where it potentially could be seen by other users, if the file permissions are not set up correctly. So always make sure that you entire home directory (or at least the history file) are protected against being read by other users (using chmod/chown appropriately)!