Running mysql_upgrade on a server with a large number of database might take a while. During this time, if any user on the system does a ps axf, the user will see the mysql admin password in plain text:
...
|
7089 ? S 0:00 | \_ /opt/bin/mysql_upgrade -u root -pxxxxxxxx
|
7224 ? S 0:00 | \_ sh -c '/opt/bin/mysqlcheck' '--no-defaults' '--user=root' '--password=GiuxphAI' '--user=root' '--check-upgrade'
|
7225 ? S 0:00 | \_ /opt/bin/mysqlcheck --no-defaults --user=root --password=x xxxxxx --user=root --check-upgrade --auto-repair
|
...
|
So, although the mysqlcheck command itself hides the password in the process listing, it leaks because myslq_upgrade shell out to execute the command. A possible fix (although I don't know anything about mariadb code) is to avoid shell-ing out and doing a fork+exec instead.
Bug
Major
