[#MDEV-23266] Display the hashed password only for SUPER user

[MDEV-23266] Display the hashed password only for SUPER user Created: 2020-07-22 Updated: 2023-11-30
Status:	Stalled
Project:	MariaDB Server
Component/s:	Authentication and Privilege System, Server
Fix Version/s:	None

Type:

New Feature

Priority:

Critical

Reporter:

Anel Husakovic

Assignee:

Ralf Gebhardt

Resolution:

Unresolved

Votes:

Labels:

None

Issue Links:

Relates
relates to	MDEV-26255	show the authentication info in SHOW ...	Confirmed

Description

Displaying the hashed password is a security vulnerability flag. This would prevent obtaining FedRamp compliance approval.

Especially when using proxied user, it should not be possible to see the hashed password of the real user. Regardless of the difficulty of determining the real password from the hashed password, this exposure should be prevented.

Comments

Comment by Sergei Golubchik [ 2021-03-05 ]

There's no more info for half a year.
In the absence of clarity of what rules does show grants and show create user violate, we cannot decide what the correct behavior should be.
Even for proxy users it's arguable. One can say that if a user can login as xxx, then she should be able to see xxx password hash.

Generated at Thu Feb 08 09:21:07 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-23266] Display the hashed password only for SUPER user Created: 2020-07-22 Updated: 2023-11-30