Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-9042

CREATE USER passwords being written to bin log in clear text

    XMLWordPrintable

    Details

      Description

      Issuing a CREATE USER command on a MariaDB 10.0 database setup for row based replication using GTID causes the statement to be written to the binlog in clear text, a security risk.

      – From the binlog:

      #151026 12:37:44 server id 122  end_log_pos 1071839282  Query   thread_id=58251 exec_time=0     error_code=0
      SET TIMESTAMP=1445888264/*!*/;
      SET @@session.pseudo_thread_id=58251/*!*/;
      SET @@session.foreign_key_checks=1, @@session.sql_auto_is_null=0, @@session.unique_checks=1, @@session.autocommit=1/*!*/;
      SET @@session.sql_mode=0/*!*/;
      SET @@session.auto_increment_increment=1, @@session.auto_increment_offset=1/*!*/;
      /*!\C utf8 *//*!*/;
      SET @@session.character_set_client=33,@@session.collation_connection=33,@@session.collation_server=8/*!*/;
      SET @@session.lc_time_names=0/*!*/;
      SET @@session.collation_database=DEFAULT/*!*/;
      CREATE USER 'testuser'@'%' IDENTIFIED BY 'my_password_in_clear_text'
      /*!*/;
      DELIMITER ;
      # End of log file
      ROLLBACK /* added by mysqlbinlog */;
      /*!50003 SET COMPLETION_TYPE=@OLD_COMPLETION_TYPE*/;
      /*!50530 SET @@SESSION.PSEUDO_SLAVE_MODE=0*/;

      ######################################

      relevant settings from my.cnf.d/server.cnf

      --------------------------------------------
      #-----------------------------------
      # MASTER REPLICATION OPTIONS
      #-----------------------------------
      server_id =                                     122
      gtid-domain-id=                                 0
       
      log-bin=                                        mariadb.bin
      log-basename=                                   ds
      binlog-do-db=                                   positioning
      binlog-format=                                  ROW
      sync_binlog =                                   1
       
      #-----------------------------------
      # SLAVE REPLICATION OPTIONS
      #-----------------------------------
      relay-log-index =                               relay-bin.index
      relay-log =                                     relay-bin
       
      replicate-events-marked-for-skip=               FILTER_ON_MASTER   
      replicate-do-db=                                positioning
       
      log-slave-updates=                              1
      gtid-strict-mode=                               1
       
      slave_skip_errors =                             all
      innodb_flush_log_at_trx_commit=                 1
       
      slave_parallel_threads =                        4
      slave_parallel_max_queued=                      100031072

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              serg Sergei Golubchik
              Reporter:
              MarkP Mark Punak
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated: