[MDEV-24979] MariaDB Galera: wsrep_sst_auth shown in logs Created: 2021-02-25  Updated: 2021-05-10  Resolved: 2021-05-09

Status: Closed
Project: MariaDB Server
Component/s: Galera, Galera SST
Affects Version/s: 10.5.9
Fix Version/s: 10.5.11

Type: Bug Priority: Major
Reporter: Javier J. Salmeron-Garcia Assignee: Julius Goryavsky
Resolution: Fixed Votes: 0
Labels: security
Environment:

Kubernetes


 Description   

We are launching a MariaDB Galera cluster and we are using the --wsrep_sst_auth flag. According to the documentation

>wsrep_sst_auth
 
>Description: Username and password of the user to use for replication. Unused if wsrep_sst_method is set to rsync, while for other methods it should be in the format <user>:.<password>. The contents are masked in logs and when querying the value with SHOW VARIABLES. See Introduction to State Snapshot Transfers (SSTs) for more information.

However, I check the logs and it is clearly seen:

gale-mariadb-galera-0 mariadb-galera 2021-02-25  9:31:11 0 [Note] WSREP: Running: 'wsrep_sst_mariabackup --role 'donor' --address '172.17.0.5:4444/xtrabackup_sst//1' --socket '/opt/bitnami/mariadb/tmp/mysql.sock' --datadir '/bitnami/mariadb/data/' --defaults-file '/opt/bitnami/mariadb/conf/my.cnf' --gtid '041c8ea1-774c-11eb-be7b-7b7e68f21476:15' --gtid-domain-id '0' --binlog 'mysql-bin' --mysqld-args --defaults-file=/opt/bitnami/mariadb/conf/my.cnf --basedir=/opt/bitnami/mariadb --datadir=/bitnami/mariadb/data --socket=/opt/bitnami/mariadb/tmp/mysql.sock --pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid --wsrep_node_name=gale-mariadb-galera-0 --wsrep_node_address=172.17.0.3 --wsrep_cluster_name=galera --wsrep_cluster_address=gcomm:// --wsrep_sst_method=mariabackup --wsrep_sst_auth=mariabackup:sO2AYgc5R7'

Check the last part of the command. As you can see, the password is shown in the logs, being a vulnerability. Would it be possible for that flag to be properly masked?

This is the command that is being run:

1001           1  0.1  2.3 4604440 192204 ?      Ssl  09:30   0:01 /opt/bitnami/mariadb/sbin/mysqld --defaults-file=/opt/bitnami/mariadb/conf/my.cnf --basedir=/opt/bitnami/mariadb --datadir=/bitnami/mariadb/data --socket=/opt/bitnami/mariadb/tmp/mysql.sock --pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid --wsrep_node_name=gale-mariadb-galera-1 --wsrep_node_address=172.17.0.4 --wsrep_cluster_name=galera --wsrep_cluster_address=gcomm://gale-mariadb-galera-headless.default.svc.cluster.local --wsrep_sst_method=mariabackup --wsrep_sst_auth=mariabackup:sO2AYgc5R7



 Comments   
Comment by Julius Goryavsky [ 2021-05-09 ]

This problem was solved together with the transition of passing authentication parameters through the environment, which works successfully after MDEV-25321 and was finalized within the framework of MDEV-24962.

Generated at Thu Feb 08 09:34:10 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.