I am writing a bash script that I plan to execute via cron. In this script, I want to execute a command against a MySQL database, something like this:
$ mysql -u username -ppassword -e 'show databases;'
For clarity and those not familiar with mysql, the “-u” switch accepts the username for accessing the database and the “-p” is for password (space omitted purposely).
I am looking for a good way to keep the username/password handy for use in the script, but in a manner that will also keep this information secure from prying eyes. I have seen strategies that call for the following:
- Keep password in a file: pword.txt
- chmod 700 pword.txt (remove permissions for all except the file’s owner”
- Cat pword.txt into a variable in the script when needed for login.
but I don’t feel that this is very secure either (something about keeping passwords in the clear makes me queasy).
So how should I go about safeguarding password that will be used in an automated script on Linux?
One way you can obfuscate the password is to put it into an options file. This is usually located in ~/.my.cnf on UNIX/Linux systems. Here is a simple example showing user and password: