1

I have Bash scripts with MariaDB (not MySQL) SQL that I run with cron (not interactively) to run on a Raspberry Pi. I'm developing them in public Github just for myself - but the repo is free and public.

What can I do to keep my MariaDB credentials out of the scripts that I commit to public Github?

JohnZastrow
  • 449
  • 1
  • 5
  • 12
  • 1
    Perhaps track a version of your scripts that have fake or no credentials. Only update them with your own credentials when you want to actually run the application, but don't make that the version of the scripts that you commit/track. If you have credentials in several scripts and this is tedious, you could probably automate the setup with another script. :) – lurker Jan 10 '19 at 17:22
  • https://stackoverflow.com/questions/11575398/how-can-i-save-my-secret-keys-and-password-securely-in-my-version-control-system – phd Jan 10 '19 at 19:04
  • See if `mysql_config_editor` will solver your problem. – Rick James Jan 11 '19 at 03:16
  • Thanks. I wanted something like this, but I'm on MariaDB - not supported there :-( https://mariadb.com/kb/en/library/mysql_config_editor-compatibility/ – JohnZastrow Jan 18 '19 at 15:35

2 Answers2

2

Oftentimes in this type of situation, people will keep their credentials in variables in a separate script that is sourced in by the main script. They would initially store fake credentials in the separate script, commit, stop tracking it, add it to .gitignore ,and replace their credentials inside of it.

Aidan Lovelace
  • 400
  • 2
  • 10
  • Thanks all. This (and related links above) seem to be the best compromise to what I was looking for. I was hoping for a different option specific to MariaDB, but this cold work. Of course my next question is going to be how to read/bring in content from .config into the Bash script. – JohnZastrow Jan 10 '19 at 19:56
  • I ended up including my.config (a shell file with a shebang) in the project directory and sticking credentials and other sensitive variables in it. I import it into my bash script by calling source my.config near the top. Then all the variables are available throughout the script. I added .config to .gitignore, and I will maintain a config.example in the project. – JohnZastrow Jan 11 '19 at 00:02
0

I recommend to push a dummy version of your script like this to git:

mariadb.dist.sh

#!/bin/bash
# Please copy this file to maria.db.sh
# and change the credentials
user="foo"
password="bar"

# code follows ...

In your install instructions ask users to copy that file to mariadb.sh and change their credentials

Additionally add the following line to .gitignore and push the .gitignore to git as well:

mariadb.sh

This will prevent contributors from pushing their credentials to git by accident.

hek2mgl
  • 152,036
  • 28
  • 249
  • 266