Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-20125

Redact MYSQL_PWD environment variable under Linux

    XMLWordPrintable

    Details

      Description

      Under Linux, when using the mysql client binary, passing the
      password via the MYSQL_PWD environment variable is more secure
      than passing it on the command line with the --password option,
      because:

      -the argument vector is world-readable via /proc/$pid/cmdline
      although the cmdline password is overwritten by the mysql
      process (with a bunch of x characters),
      -there is still a time window after process start and overwrite
      where the password can be observed by any user,
      -in contrast to that, the environment vector is only readable by
      the mysql invoking user and root.
      But having the password in clear text easily accesible via
      /proc/$pid/environ (or via an equivalent ps command) - even for a
      restricted set of users - for the complete mysql client
      runtime is suboptimal on sensitive systems.

      As a defense-in-depth measure, this change redacts the MYSQL_PWD
      environment variable under Linux. Thus, this increases the effort
      for an attacker to read out the password (in contrast to just
      being able to read out /proc/$pid/environ).

      This change complements how the mysql client deals with
      passwords supplied on the command line (cf. the --password option).

      To test this change:

      Create DB test user - say - juser

      Connect with the command line client, e.g.:

      $ MYSQL_PWD=geheim /path/to/bin/mysql --socket path/to/mysql.socket --user juser
      

      Check (in another terminal) that the environment variable is indeed redacted, e.g.:

      $ < /proc/$(pidof mysql)/environ tr '\0' '\n' | grep MYSQL_PWD
      MYSQL_PWD=xxxxxx
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              cvicentiu Vicențiu Ciorbaru
              Reporter:
              anel Anel Husakovic
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: