mylvmbackup-discuss team mailing list archive

Thread
Date

Re: Password from environment patch

To: Yves Goergen <yves@xxxxxxxxxxxxxxx>
From: Lenz Grimmer <lenz@xxxxxxxxxxx>
Date: Wed, 08 Sep 2010 10:38:18 +0200
Cc: mylvmbackup-discuss@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4C800F45.3060701@unclassified.de>
Openpgp: id=B27291F2
Sender: Lenz Grimmer <lenz.grimmer@xxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100713 Lightning/1.0b1 Thunderbird/3.0.6

Hi Yves,

thanks for your message and sorry for the late reply!

On 09/02/10 22:55, Yves Goergen wrote:

> I just wanted to throw in my patch for mylvmbackup. I didn't want to put
> my MySQL root password on the command line and I didn't want to start
> using a configuration file for this single option either. I rather like
> the way duplicity does it, reading passwords from an environment
> variable if set.

An interesting approach!

> So I took the mylvmbackup source code and hacken in a
> single line - this is probably the first line ever that I'm speaking
> Perl.

:)

> I didn't take the hassle to create a patch, just add the following
> line right after the GetOptions() call in the load_args function. For me
> (0.13 on Ubuntu) this is line 395.
> 
>    $password = $ENV{"PASSWORD"} if ($password eq "");

Thank you!

> If no password is set after parsing the command line arguments, it will
> be read from the environment. I didn't test what happens when no
> password is set on the command line *and* in the environment though as
> it makes no sense to me.

It would probably bail out with an error.

> Call it like so:
> 
>    PASSWORD=123 mylvmbackup --options ...

Hmm, so you did not want to put the password in the command line, but you're
willing to make it visible in the process environment?

By the way, the MySQL Client library (and consequently Perl/DBI) already
supports this functionality. The environment variable is called "MYSQL_PWD" -
have you tried it?

http://dev.mysql.com/doc/refman/5.0/en/environment-variables.html

However, this approach is not recommended. Quoting the manual again:

http://dev.mysql.com/doc/refman/5.0/en/password-security-user.html

[SNIP]
Store your password in the MYSQL_PWD environment variable. See Section 2.21,
“Environment Variables”.

This method of specifying your MySQL password must be considered extremely
insecure and should not be used. Some versions of ps include an option to
display the environment of running processes. If you set MYSQL_PWD, your
password is exposed to any other user who runs ps. Even on systems without
such a version of ps, it is unwise to assume that there are no other methods
by which users can examine process environments.
[SNIP]

On Linux, you can just look at /proc/<id>/environ to find the password...
So it's not really any more secure than passing the password on the command line.

> I'd be happy if this patch is helpful to anybody. Maybe it gets
> integrated in the main version so I don't have to modify mine.

Thank you very much for your suggestion. However, I think this functionality
already exists (using $MYSQL_PWD) and it would thus be redundant. Therefore I
am not going to include it, I hope you understand.

Bye,
	LenZ
-- 
  Lenz Grimmer <lenz@xxxxxxxxxxx> - http://www.lenzg.net/

Attachment: signature.asc
Description: OpenPGP digital signature

Follow ups

Re: Password from environment patch
From: Yves Goergen, 2010-09-08
Re: Password from environment patch
From: Lenz Grimmer, 2010-09-08

References

Password from environment patch
From: Yves Goergen, 2010-09-02