0

I'm tryng to find a solution for upload data on a remote mysql database using a python daemon.

My base script use a simple query "INSERT INTO...." but in top of the script there are in clear the credentials to connect on database:

conn = MySQLdb.connect(host="192.168.1.123", user="root", passwd="Pa$$w0rd", db="mydb")

I do not want anyone reading the python script can access the database directly.

  1. I need to use python scripts on clients
  2. The server with mysql db is on cloud
  3. The clients are Raspberry pi
  4. In the server I can use php
MadCat
  • 103
  • 1
  • 11

1 Answers1

2

Several ways

1. Use mysql.cnf file

Mysql cnf files is a config file storing MySQL credentials, if this server or client executing the script has one, you can use it like:

db=_mysql.connect(host="outhouse",db="thangs",read_default_file="~/.my.cnf")

Credentials are not in your Python script anymore, but they are clear in cnf file anyway and you must have this file in the same place everywhere you want to use your script.

source: http://mysql-python.sourceforge.net/MySQLdb.html

2. Command line argument

You can parse command line arguments to get credentials from it like:

import sys
user = sys.argv[1]
password = sys.argv[2]
conn = MySQLdb.connect(host="192.168.1.123", user=user, passwd=password, db="mydb")

And so execute your script with:

python myscript "root" "pa$$w0rd"

With this method credentials can't be found in any config file, but you have to execute it with arguments, if it's a deamon it can be ok, but if you want to use it as cron (by example), you will have to write credentials in crontab, so not so safe.

3. Environment variables

Another way is to use environment variables

import os
conn = MySQLdb.connect(host="192.168.1.123", user=os.environ['MYSQL_USER'], passwd=os.environ['MYSQL_PASSWORD'], db="mydb")

But you will have to set these variables somewhere. In ~/.bash_profile, /etc/profile or by command line. So if somebody access to user that can execute script, he can read password.

4. Encoding

Encoding seems to be a good way to hide password, but in fact you can not really hide from someone who can access to the right user in the right server.

Encoded string without salt is easy to decode, some encoding methods are easy to spot and can be decoded by anyone.

Using a salt will make work more harder, but if somebody can access to you code, it will be easy to locate salt phrase (no matter if salt is stored in environment var, in a file or directly in code).

Using .pyc files can be an idea too, but first, it's not recommended and anybody can read content by creating a python script importing this pyc file and print what stored in.

Encoding credentials still is still a good thing, but encoded string can always be decoded, if your code can, somebody with access to it can too. A simple print password added in your code and regardless of the used method the password will be accessible.

So you have to secure your python code, but Unix users & groups too and mysql config too.

Arount
  • 7,881
  • 1
  • 23
  • 37
  • My first target is a method where no one can decript, found or get my database credentials. is in the 4 solution a way to decode the password ?? – MadCat Dec 09 '16 at 14:05
  • 1
    I added more info about encoding, but I don't think this question do not need a toospecific awnser, here is a stackoverflow question about python encoding with salt: http://stackoverflow.com/questions/9594125/salt-and-hash-a-password-in-python – Arount Dec 09 '16 at 14:33
  • 1
    4 is a nonstarter (this also isn't really called 'encoding') and the question and answer you linked in your comment is about something else (and also wrong, as it says itself). – pvg Dec 09 '16 at 14:37