[MXS-5606] Add MAXSCALE_USER and MAXSCALE_PASSWORD environment variables - Jira

XML

Word

Printable

Details

Type: New Feature
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 21.06.21, 22.08.18, 23.02.15, 23.08.11, 24.02.7, 25.01
Component/s: maxctrl
Labels:
- Security

Sprint:
MXS-SPRINT-236

Description

If the username and password are passed to maxctrl on the command line, they will be visible if someone executes ps -ef. Since maxctrl is a script this is impossible to prevent. If maxctrl was a native executable, the command line arguments could be overwritten, so that ps -ef would not reveal the arguments. However, there is a race; a ps -ef executed after the process was launched, but before the process has had time to overwrite the arguments would still reveal the password. So, passing a password on the command line is inherently insecure.

To alleviate the issue, it should be possible to specify the the username and password using environment variables. That could be used like

MAXSCALE_PASSWORD=mypassword maxctrl

Since the environment can not be accessed using ps or anything else, the password could not leak.

Attachments

Issue Links

relates to

MXS-5559 maxctrl does not obfuscate password in ps output

Closed

Activity

People

Assignee:: markus makela

Reporter:: Johan Wikman

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2025-05-08 06:30

Updated:: 2025-06-30 04:15

Resolved:: 2025-06-10 16:57

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.