I've got a few BASH tools that use the mysql -e "{command}" function. Entering the password every time I use these tools would be a pain, so, to avoid having the password written in a plaintext file with the code, I store it in memory (using read -s) and have BASH read it whenever it runs the commands.
Mysql still thinks the password is being submitted through command line (because, in a manner of speaking, it is), and still gives me the error "Using a password on the command line interface can be insecure."
For my purposes, I don't need to suppress this message. What I need to know is, what is it that could make it insecure? The password is never physically visible, so shoulder-surfing couldn't do it and even someone that guessed my SSH password wouldn't be able to do it since it's stored in memory rather than in scripts themselves. Is a man-in-the-middle attack or something similar possible?
Best Answer
Anyone who can see your environment variables (including programs you run) can see the password. And anyone that can view your processes can see the command line used to run them, including the parameters.
So for a box that solely you log in to, the risk is probably insignificant. But for a targeted attack on you personally, this is a trivial attack vector in the grand scheme of things.