Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-8825

mysql_upgrade leaks the admin password when it spawns a shell process to execute mysqlcheck

    Details

    • Type: Bug
    • Status: Confirmed
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 10.1, 10.0, 5.5
    • Fix Version/s: 10.1
    • Component/s: Scripts & Clients
    • Labels:
    • Environment:
      mysql Ver 15.1 Distrib 10.0.19-MariaDB, for Linux (x86_64) using readline 5.1

      Description

      Running mysql_upgrade on a server with a large number of database might take a while. During this time, if any user on the system does a ps axf, the user will see the mysql admin password in plain text:

      ...
       7089 ?        S      0:00  |           \_ /opt/bin/mysql_upgrade -u root -pxxxxxxxx
       7224 ?        S      0:00  |               \_ sh -c '/opt/bin/mysqlcheck' '--no-defaults' '--user=root' '--password=GiuxphAI' '--user=root'  '--check-upgrade'
       7225 ?        S      0:00  |                   \_ /opt/bin/mysqlcheck --no-defaults --user=root --password=x xxxxxx --user=root --check-upgrade --auto-repair
      ...
      

      So, although the mysqlcheck command itself hides the password in the process listing, it leaks because myslq_upgrade shell out to execute the command. A possible fix (although I don't know anything about mariadb code) is to avoid shell-ing out and doing a fork+exec instead.

        Gliffy Diagrams

          Attachments

            Activity

            Hide
            elenst Elena Stepanova added a comment -

            Thanks for the report.

            Same with MySQL 5.6, but MySQL 5.7 does it differently.

            Show
            elenst Elena Stepanova added a comment - Thanks for the report. Same with MySQL 5.6, but MySQL 5.7 does it differently.

              People

              • Assignee:
                serg Sergei Golubchik
                Reporter:
                lonetwin lonetwin
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: