I have written a CGI script using bash which executes a MySQL query . Since my purpose is to automate a task , I had to put MySQL credentials in the script only with the password being in plain text . The issue for me is the server in question which will execute the script is a production server with outside access . I am looking for a solution where the automation remains but without supplying the password in plain text .

PS: One solution for me is to enforce strict permissions by removing all permission for others,groups with rwx for root and ownership changed to root. But since this is a CGI script, I cannot remove read and execute permission for others.

The code is as follows

#!/bin/bash

echo "Content-type: text/html"
echo ""

echo "<html>"
echo "<body>"

mysql -h $host -u root -ptest -e "select User,marks,percent from $db;" | sed  's/\t/,/g' > /tmp/out.csv `

gnuplot gnudg.sh

echo "<img src="http://172.16.0.19/report/histreport.png" alt="DG-Reports">"

echo "</body>"
echo "</html>" `

Script permission:

ls -l /var/www/cgi-bin/ssdg/ssdgplot.sh

-rwxr-xr-x 1 root root 1589 Apr 22 12:41 /var/www/cgi-bin/ssdg/ssdgplot.sh

For mysql you can use option file read from reference1, reference2 You can set values like username and password

[db-details]
user=username
password=password

and read this file for logging in to db in script. and to avoid anyone else read it except root, just the permissions as

chmod 600 option_file