piping a password and security

Solution 1:

The answer to this depends on which shell you are using. Many shells have echo as a builtin command meaning that it does not spawn a separate process and hence will not show up in a process listing. However, if you type /bin/echo or ./echo or if you disable the builtins with the enable -n echo command, then the shell will not use its builtin command and will use the binary version instead. This will show up in a process listing.

If you are using the binary rather than the shell builtin, the echo command will show up for as long as it takes to move the data into the other process's STDIN buffer. This buffer has a finite size so if there is more data than will fit in the buffer, the echo command will have to hang around for a while until the other process can read some of the data out of the buffer. For most cases (such as the two examples you gave above) this time period will be microseconds. If you happen to be pasting a 20MB SQL dump into MySQL using echo, this could be longer. No matter how short the time is, if you are using the binary instead of the shell builtin and someone happens to get the timing just right, they will be able to see the process in the process list.

You can avoid this by putting the secret data into a file (with appropriate permissions) and using the file as STDIN like this:

mysql -u root -p < file_with_secret.sql

Solution 2:

For the mysql case ~/.my.cnf can be used to store secrets, ie

[client]
user = DBUSERNAME
password = DBPASSWORD
host = DBSERVER

[mysql]
database = DBNAME