How Mysql hides the password on the command line in a Linux system _mysql

Entering commands on the command line is not a good idea and can create security problems. But if you decide to write an application, the application needs to use a password or other sensitive information on the command line. So, can you prevent other users of the system from seeing these sensitive data easily by using the following methods? , like MySQL hiding passwords under the PS command.

Suppose I have two users in this system, one is root and one is Dabu. The test system for CentOS 6.5 is done in the following steps:

[Root@dabu.info ~] #su dabu #切换到dabu这个账号
[dabu@dabu.info ~] $CD ~ #切换到dabu的home目录
[Dabu@dabu.info ~]$ Touch pwhide.c #创建 pwhide.c file
[dabu@dabu.info ~] $ls

Show:

Copy Code code as follows:

Pwhide.c

Save the following code to PWHIDE.C:

#include <stdio.h> #include <unistd.h>/* UNIX class system-defined symbol constants header file/#include <string.h>/* character array function definition header file * /#include <sys/types.h>/* Unix/linux system Basic System data Type header file/int main (int argc, char *argv[])/* parameter argc refers to the number of parameters in the command line, including Execution file itself).     The parameter argv is a pointer array of a carton string */{int i = 0; pid_t mypid = Getpid ();        /* Get the Program Runtime pid*/if (argc = = 1)/* If the number of ARGC parameters is equal to 1, according to the requirements, should be ARGC 2 before the line/return 1;  /* Exception exit/printf ("argc =%d and Arguments are:\n", argc);   /* Print ARGC number of parameters/for (i < argc; i++)/* Print I serial number, and corresponding argv array pointer element/printf ("%d =%s\n", I, argv[i]); /* Print I serial number, and corresponding argv array pointer element/printf ("replacing the argument with x:es ... Now open another terminal and Run:ps P%d\n ", (int) mypid);  /* Print the string and the program Yes pid*/fflush (stdout);  * Empty the buffer and print its contents * * memset (argv[1], ' x ', strlen (argv[1)); * Note that this is the focus and key point of this article. (original http://www.dabu.info/?p=5150) is the use of memset (void *s, int c, size_t N) function with x to overwrite each character of the password *.   You can also replace x with a, then recompile the run, and then PS see what is different/getc (stdin); /* Wait and get keyboard input, in fact, the main function here is to keep the C program in the running state, so that you can view the PID through PS to observe the passwordWhether it is hidden.     So after this function is run, there can be no more keyboard operation * * return 0;  /* Normal exit/#include <stdio.h> #include <unistd.h>/* UNIX class system-defined symbol constant header file * * #include <string.h>/* The header file for a function definition of a character array/#include <sys/types.h>/* Unix/linux system header File/int main (int argc, char *argv[])/* Parameter A RGC refers to the number of arguments in the command line, including the execution file itself.     The parameter argv is a pointer array of a carton string */{int i = 0; pid_t mypid = Getpid ();        /* Get the Program Runtime pid*/if (argc = = 1)/* If the number of ARGC parameters is equal to 1, according to the requirements, should be ARGC 2 before the line/return 1;  /* Exception exit/printf ("argc =%d and Arguments are:\n", argc);   /* Print ARGC number of parameters/for (i < argc; i++)/* Print I serial number, and corresponding argv array pointer element/printf ("%d =%s\n", I, argv[i]); /* Print I serial number, and corresponding argv array pointer element/printf ("replacing the argument with x:es ... Now open another terminal and Run:ps P%d\n ", (int) mypid);  /* Print the string and the program Yes pid*/fflush (stdout);  * Empty the buffer and print its contents * * memset (argv[1], ' x ', strlen (argv[1)); * Note that this is the focus and key point of this article. (original http://www.dabu.info/?p=5150) is the use of memset (void *s, int c, size_t N) function with x to overwrite each character of the password *. You can also replace x with a, then recompile the run, and then PS see what the difference is/getc (sTdin); /* Wait and get keyboard input, in fact, the main function here is to keep the C program in the running state, so that you can view the PID through PS to see if the password is hidden.     So after this function is run, there can be no more keyboard operation * * return 0;

 /* Normal exit */}

Then compile the pwhide.c command as follows:

[Dabu@dabu.info ~]$ gcc-o Hide pwhide.c #编译后的文件叫 hide
[dabu@dabu.info ~]$ ls

Show:

Copy Code code as follows:

Hide Pwhide.c

To test with a compiled program:

[Dabu@dabu.info ~]$./hide dabu.info//dabu.info as a parameter (in fact, a password) to test the
display:
argc = 2 and arguments are:
0 =./hide
   1 = Dabu.info
Replacing-argument with x:es ... Now open another terminal and Run:ps p 15585

Note: PS P 15585. You may not be the same as me, because the PID will change every time it runs. What number do you show, and what number will you use later?

After displaying the results above, no more action is done and the Terminal Window (Command window) is not closed. Then log in with the root account, which is equivalent to opening two terminal windows at the same time. Enter the following command:

[Root@dabu.info ~] #ps p 15585 #就是运行./hide dabu.info, the PID display of this program is
:
pid TTY STAT time COMMAND
15585 pts/0 0:00./hide xxxxxxxxx  //dabu.info has a total of 9 characters, so this shows 9 x

As a result of this test, we know that this method allows MySQL to hide the password on the command line under the PS command. By the way, after you write another program, you know how to use this method to have the program hide command-line arguments under the PS command.

For simplicity's sake, the code above may not be easy to migrate to other platforms, but it can work on Linux and express the key points. In other environments, such as FreeBSD, you can use the system call Setproctitle () to do this coolie work for you. The key point is to rewrite the argv