Securely Using Passwords In Server Side MySQL Scripts
Today I did some administrative maintenance for the Mumble VoIP project. I fixed the MySQL server installation on our forums server.
MySQL has multiple binaries for different use cases. The ones of importance for this post are
Securely Using Passwords in Server Side MySQL Scripts
Ubuntu stores the login data, most importantly the password, for the root account of the MySQL server in
This configuration file is used for dpkg/apt package installations and upgrades when the post-installation package configuration has to run queries on the MySQL server.
.cnf MySQL configuration file is an ini-style syntax and has sections for the respective mysql (client) binaries like
mysql_upgrade program is used to upgrade the server database after the package installation has been updated. When this automatic step fails, the
mysql_upgrade program can be executed manually as well to check for and execute data upgrade migrations.
mysql is the standard client.
debian.cnf is a good example of how to securely specify login credentials without exposing it to the shell and potential logging of commands.
For a given Linux user account you can create a file
~/.my.cnf with a configuration section for
mysqldump and specify the adequate login and password for your backup scripts running under that (system) account.
[mysqldump] user=root password=secret
When the backup script/cronjob runs
mysqldump will default to using this login information.
With adequate, restrictive file permissions on
~/.my.cnf this is the recommended, secure way to store your passwords for automation.