As part of running a backup script for a linux server, I have commands like mysqldump within a bash script which contain the mysql root password, and certain ftp server passwords. Are these retrievable by a malicious user, from the server logs?
I know that while the script is being run, processes like mysqldump can be viewed with the command line parameters, on invoking a ps ax. Do these get logged to server logs? If so, how can I cleanup after script execution? Is it at all possible to avoid these issues altogether?
Addendum: My question is not specifically regarding mysqldump. There are other binaries like lftp and mysqldump that require passwords as an argument. I am aware that mysqldump accepts file inputs, as does lftp. However, is it possible to generically protect commands invoked in a bash script, which may contain sensitive information, from snooping?
The history command will bring up a list of commands you have typed. In theory this data could be retrievable.
There is no generic solution for this. Tools must provide their own protection for sensitive data such as passwords. Usually, they can load credentials from a file which must be protected appropriately, like mysql with
--defaults-file=. Command line arguments cannot be protected.