~ / mysql_history and security

As a rule, safety is inversely proportional to convenience. Keeping a history of commands that you can navigate to in the CLI is very convenient. So does, for example, bash. MySQL also does this by carefully and line-by-line writing commands to ~ / .mysql_history in plain text (including passwords).

You can reduce the risk or completely avoid the leak if (from more acceptable, in my opinion, methods to less acceptable):

• user home directory has access mode 700;
• the ~ / .mysql_history file has access mode 600;
• call a script that cleans the ~ / .mysql_history file from "extra" entries;
• “Manually” clean the ~ / .mysql_history file from “extra” entries;
• delete the ~ / .mysql_history file ( SecurityFocus suggests this option );
• ~ / .mysql_history is a symbolic link to / dev / null (no history).

From the point of view of the DBMS, this is not a security problem, since there can be much more valuable information in the request history than passwords (payment information, for example), so developers do not take care of such exceptions at the level of command history logging.

Actually, why is this topic raised. What other options are there?

Bonus track . Touching upon the MySQL security issue, I want to note that I often observe root account information in backup scripts using mysqldump. A very common mistake, and it's not so difficult to create a special user for unloading databases with a couple of commands:

GRANT SELECT, LOCK TABLES ON .* TO @localhost IDENTIFIED BY '';
FLUSH PRIVILEGES;