strange behaviour of script

abtechale

New Member
Joined
Aug 25, 2021
Messages
3
Reaction score
0
Credits
30
Hello,
i have a simple script to backup mysql with mysql dump but i have a strange behaviour and i'm not sure of cause...

my script is
Bash:
#!/bin/bash

DATA=$(date +"%Y-%m-%d--%H-%M")

MYSQLDUMP=/usr/bin/mysqldump
BZIP2=/usr/bin/bzip2
IONICE=/usr/bin/ionice
NICE=/usr/bin/nice

MYSQL_USER=root
MYSQL_PASSWORD='1$2%3!a:b,c'
MYSQL_HOST=localhost
MYSQL_PORT=3306
MYSQL_BACKUP_DIR=/mnt/remote/server

SECONDS=0
echo "...---...---...--- Start backup" $DATA | tee -a $LOG
echo "...---...---...--- Executing Database Backup" | tee -a $LOG
$IONICE -c3 $NICE -n19 $MYSQLDUMP --user=$MYSQL_USER --password=$MYSQL_PASSWORD -P $MYSQL_PORT -h $MYSQL_HOST --routines --triggers --events --quick --single-transaction --all-databases > $MYSQL_BACKUP_DIR/$DATA-restic-alldb-backup.sql 2> $MYSQL_BACKUP_DIR/$DATA-restic-alldb-backup.sql.err
if [ $? -ne 0 ]
then
    echo "...---...---...--- Database Backup Failed" | tee -a $LOG
    echo "...---...---...--- Stop backup" $DATA | tee -a $LOG
    exit 2
else
    $BZIP2 $MYSQL_BACKUP_DIR/$DATA-alldb-backup.sql
    echo "...---...---...--- Database Backup Successful" $DATA | tee -a $LOG
    sync;sync
fi
exit

strange behaviour is when i try to run
bash -x /root/backup-mysql.bash
this is output
Code:
..............
...---...---...--- Executing Database Backup
+ /usr/bin/ionice -c3 /usr/bin/nice -n19 /usr/bin/mysqldump --user=root '--password=1$2%3!a:b,c' -P 3306 -h localhost --routines --triggers --events --quick --single-transaction --all-databases

so i have an error , and mysqldump not work...
but why script "rewrite"
'--password=1$2%3!a:b,c'
should be
/usr/bin/ionice -c3 /usr/bin/nice -n19 /usr/bin/mysqldump --user=root --password=1$2%3!a:b,c -P 3306 -h localhost --routines --triggers --events --quick --single-transaction --all-databases
or in alernative
/usr/bin/ionice -c3 /usr/bin/nice -n19 /usr/bin/mysqldump --user=root --password='1$2%3!a:b,c' -P 3306 -h localhost --routines --triggers --events --quick --single-transaction --all-databases

can you help me?

thank you
Alex
 


Concatenating literals in bash scripts have always complications, and single quotes are tricky because they are intended to be the "absolutiest" verbatim delimitators. While I don't know exactly bash's rationale to do so, I can give you some better practices to this, which is to separate credentials from scripts.

Create a text file with just the password, let's say pwd.txt, chown it to root, and give it permissions 400. Without single quotes, if they are not part of the password itself. If they are, escape them.
Code:
1$2%3!a:b,c
In your script, chown it to root and remove the variable MYSQL_PASSWORD and change your line to:
Code:
$IONICE -c3 $NICE -n19 $MYSQLDUMP --user=$MYSQL_USER --password=$(cat pwd.txt) -P $MYSQL_PORT -h $MYSQL_HOST --routines --triggers --events --quick --single-transaction --all-databases > $MYSQL_BACKUP_DIR/$DATA-restic-alldb-backup.sql 2> $MYSQL_BACKUP_DIR/$DATA-restic-alldb-backup.sql.err

I'm also seeing that you're running the script as root:
abtechale said:
strange behaviour is when i try to run
bash -x /root/backup-mysql.bash
this is output
An even better practice would be, above the previous improvement, to not use root as the user to run all this. Instead, create a user without login ("nologin" user), let's say, "backup_user", and chown both files to that user (also chmod 400 to the pass.txt file).

Benefits:
  1. Exporting the credential to a file is useful for your script to be reusable in multiple machines or environments. Some automation (e.g.: a tool like ansible, or a deployment pipeline) would be to inject the credential in the environment, and chmod and chown the files appropriately.
  2. Not using root will protect your network against code injection. If any of the tools you're using in that script is subject to a zero day that would exit to a shell, you are giving an attacker root privileges. By using a non-personal account with no login, in the case of such a vulnerability the resulting shell and therefore the harm would be, at least, contained to the database.
  3. Also, the 400 permission mask will prevent any other user in the machine, other than your nologin user or root, to read the password. Yes, that won't protect your database from a vulnerability that executes a shell for your nologin user as mentioned in the previous point, but at least it will protect in other situations.
 
Last edited:
thank you for reply.

yes, i know.
but this is for testing and for comfort i use root...

so i create
nano /root/mysql_password
1$2%3!a:b,c
chmod 400 /root/mysql_password

change row in
$IONICE -c3 $NICE -n19 $MYSQLDUMP --user=$MYSQL_USER --password=$(cat /root/mysql_password) -P $MYSQL_PORT -h $MYSQL_HOST --routines --triggers --events --quick --single-transaction --all-databases > $MYSQL_BACKUP_DIR/$DATA-restic-alldb-backup.sql 2> $MYSQL_BACKUP_DIR/$DATA-restic-alldb-backup.sql.err

but output ailed again
Code:
+ echo '...---...---...--- Start backup' 2021-08-25--10-35
+ tee -a /tmp/2021-08-25--10-35-16881.txt
...---...---...--- Start backup 2021-08-25--10-35
+ echo '...---...---...--- Executing Restic Database Backup'
+ tee -a /tmp/2021-08-25--10-35-16881.txt
...---...---...--- Executing Restic Database Backup
++ cat /root/mysql_password
+ /usr/bin/ionice -c3 /usr/bin/nice -n19 /usr/bin/mysqldump --user=root '--password=mypa$$word' -P 3306 -h localhost --routines --triggers --events --quick --single-transaction --all-
databases
+ '[' 2 -ne 0 ']'
+ echo '...---...---...--- Restic Database Backup Failed'
+ tee -a /tmp/2021-08-25--10-35-16881.txt
...---...---...--- Restic Database Backup Failed
+ echo '...---...---...--- Stop backup' 2021-08-25--10-35

i don't understand why script "create" quote before --password ...

then i create a user (non root) and use it

thank you again
Alex
 
Are you sure that this is the actual error and it is not an effect of how the shell echoes the output?

I ask this because I see that things like [ and ] are also wrapped with single quotes.
  • Is there anything in the system logs related to the command itself?
  • What is the exit code of the command? Are we sure that such error is caused by mysqldump and not ionice/nice?
  • What are the contents of $MYSQL_BACKUP_DIR/$DATA-restic-alldb-backup.sql.err?
 
ok thank you

content of err is
Code:
mysqldump: Got error: 1045: "Access denied for user 'root'@'localhost' (using password: YES)" when trying to connect

but if i run single command
Code:
/usr/bin/ionice -c3 /usr/bin/nice -n19 /usr/bin/mysqldump --user=root --password='mypa$$word' -P 3306 -h 127.0.0.1 --routines --triggers --events --quick --single-transaction --all-databases

mysqldump works fine...
 

Members online


Latest posts

Top