Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-24979

MariaDB Galera: wsrep_sst_auth shown in logs

    XMLWordPrintable

    Details

      Description

      We are launching a MariaDB Galera cluster and we are using the --wsrep_sst_auth flag. According to the documentation

      >wsrep_sst_auth
      >Description: Username and password of the user to use for replication. Unused if wsrep_sst_method is set to rsync, while for other methods it should be in the format <user>:.<password>. The contents are masked in logs and when querying the value with SHOW VARIABLES. See Introduction to State Snapshot Transfers (SSTs) for more information.
      

      However, I check the logs and it is clearly seen:

      gale-mariadb-galera-0 mariadb-galera 2021-02-25  9:31:11 0 [Note] WSREP: Running: 'wsrep_sst_mariabackup --role 'donor' --address '172.17.0.5:4444/xtrabackup_sst//1' --socket '/opt/bitnami/mariadb/tmp/mysql.sock' --datadir '/bitnami/mariadb/data/' --defaults-file '/opt/bitnami/mariadb/conf/my.cnf' --gtid '041c8ea1-774c-11eb-be7b-7b7e68f21476:15' --gtid-domain-id '0' --binlog 'mysql-bin' --mysqld-args --defaults-file=/opt/bitnami/mariadb/conf/my.cnf --basedir=/opt/bitnami/mariadb --datadir=/bitnami/mariadb/data --socket=/opt/bitnami/mariadb/tmp/mysql.sock --pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid --wsrep_node_name=gale-mariadb-galera-0 --wsrep_node_address=172.17.0.3 --wsrep_cluster_name=galera --wsrep_cluster_address=gcomm:// --wsrep_sst_method=mariabackup --wsrep_sst_auth=mariabackup:sO2AYgc5R7'
      

      Check the last part of the command. As you can see, the password is shown in the logs, being a vulnerability. Would it be possible for that flag to be properly masked?

      This is the command that is being run:

      1001           1  0.1  2.3 4604440 192204 ?      Ssl  09:30   0:01 /opt/bitnami/mariadb/sbin/mysqld --defaults-file=/opt/bitnami/mariadb/conf/my.cnf --basedir=/opt/bitnami/mariadb --datadir=/bitnami/mariadb/data --socket=/opt/bitnami/mariadb/tmp/mysql.sock --pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid --wsrep_node_name=gale-mariadb-galera-1 --wsrep_node_address=172.17.0.4 --wsrep_cluster_name=galera --wsrep_cluster_address=gcomm://gale-mariadb-galera-headless.default.svc.cluster.local --wsrep_sst_method=mariabackup --wsrep_sst_auth=mariabackup:sO2AYgc5R7
      

        Attachments

          Activity

            People

            Assignee:
            sysprg Julius Goryavsky
            Reporter:
            javsalgar Javier J. Salmeron-Garcia
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: