Details
-
Task
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Won't Fix
-
None
Description
Under Linux, when using the mysql client binary, passing the
password via the MYSQL_PWD environment variable is more secure
than passing it on the command line with the --password option,
because:
-the argument vector is world-readable via /proc/$pid/cmdline
although the cmdline password is overwritten by the mysql
process (with a bunch of x characters),
-there is still a time window after process start and overwrite
where the password can be observed by any user,
-in contrast to that, the environment vector is only readable by
the mysql invoking user and root.
But having the password in clear text easily accesible via
/proc/$pid/environ (or via an equivalent ps command) - even for a
restricted set of users - for the complete mysql client
runtime is suboptimal on sensitive systems.
As a defense-in-depth measure, this change redacts the MYSQL_PWD
environment variable under Linux. Thus, this increases the effort
for an attacker to read out the password (in contrast to just
being able to read out /proc/$pid/environ).
This change complements how the mysql client deals with
passwords supplied on the command line (cf. the --password option).
To test this change:
Create DB test user - say - juser
Connect with the command line client, e.g.:
$ MYSQL_PWD=geheim /path/to/bin/mysql --socket path/to/mysql.socket --user juser |
Check (in another terminal) that the environment variable is indeed redacted, e.g.:
$ < /proc/$(pidof mysql)/environ tr '\0' '\n' | grep MYSQL_PWD |
MYSQL_PWD=xxxxxx
|
Attachments
Issue Links
- links to