[MDEV-9042] CREATE USER passwords being written to bin log in clear text - Jira

XML

Word

Printable

Details

Type: New Feature
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Fix Version/s: None
Component/s: Admin statements
Labels:
- security
- upstream-fixed

Description

Issuing a CREATE USER command on a MariaDB 10.0 database setup for row based replication using GTID causes the statement to be written to the binlog in clear text, a security risk.

– From the binlog:

#151026 12:37:44 server id 122  end_log_pos 1071839282  Query   thread_id=58251 exec_time=0     error_code=0

SET TIMESTAMP=1445888264/*!*/;

SET @@session.pseudo_thread_id=58251/*!*/;

SET @@session.foreign_key_checks=1, @@session.sql_auto_is_null=0, @@session.unique_checks=1, @@session.autocommit=1/*!*/;

SET @@session.sql_mode=0/*!*/;

SET @@session.auto_increment_increment=1, @@session.auto_increment_offset=1/*!*/;

/*!\C utf8 *//*!*/;

SET @@session.character_set_client=33,@@session.collation_connection=33,@@session.collation_server=8/*!*/;

SET @@session.lc_time_names=0/*!*/;

SET @@session.collation_database=DEFAULT/*!*/;

CREATE USER 'testuser'@'%' IDENTIFIED BY 'my_password_in_clear_text'

/*!*/;

DELIMITER ;

# End of log file

ROLLBACK /* added by mysqlbinlog */;

/*!50003 SET COMPLETION_TYPE=@OLD_COMPLETION_TYPE*/;

/*!50530 SET @@SESSION.PSEUDO_SLAVE_MODE=0*/;

######################################

relevant settings from my.cnf.d/server.cnf

--------------------------------------------

#-----------------------------------

# MASTER REPLICATION OPTIONS

#-----------------------------------

server_id =                                     122

gtid-domain-id=                                 0

log-bin=                                        mariadb.bin

log-basename=                                   ds

binlog-do-db=                                   positioning

binlog-format=                                  ROW

sync_binlog =                                   1

#-----------------------------------

# SLAVE REPLICATION OPTIONS

#-----------------------------------

relay-log-index =                               relay-bin.index

relay-log =                                     relay-bin

replicate-events-marked-for-skip=               FILTER_ON_MASTER

replicate-do-db=                                positioning

log-slave-updates=                              1

gtid-strict-mode=                               1

slave_skip_errors =                             all

innodb_flush_log_at_trx_commit=                 1

slave_parallel_threads =                        4

slave_parallel_max_queued=                      100031072

Attachments

Issue Links

duplicates

MDEV-28016 CREATE USER replicated with clear text password

Closed

is duplicated by

MDEV-9016 Account Management Commands being written to binlog

Closed

MDEV-10584 Obscure plain text passwords from server logs

Open

MDEV-20182 User Password Display in Error

Closed

MDEV-24032 Password's are getting logged in the db log when installing openstack.

Closed

Activity

People

Assignee:: Sergei Golubchik

Reporter:: Mark Punak

Votes:: 1 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 2015-10-30 01:54

Updated:: 2024-09-05 19:29

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.