[MDEV-3892] Cleartext logging of passwords / workaround (MySQL issue 57220) Created: 2012-11-28  Updated: 2020-10-27

Status: Open
Project: MariaDB Server
Component/s: None
Fix Version/s: None

Type: Task Priority: Minor
Reporter: BitSmid Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None

Attachments: File mysqlpasswordhash.7z    
Issue Links:
Relates
relates to MDEV-10584 Obscure plain text passwords from ser... In Review

 Description   

I wrote a small command-line utility to be able to calculate the standard MySQL hashes that are used for logins, without the need for a database connection. This way, plain text passwords need not be sent to the server or be logged in the query log. The utility can generate a hash, generate SQL or "fix" plain text passwords in SQL. Man pages in English and Dutch are included.

 Comments   
Comment by Sergei Golubchik [ 2012-11-28 ]

Isn't that what mysqladmin is doing? It calculates the hash and sends "SET PASSWORD=calculated_hash" to the server. That is, the plain-text password is not logged anywhere.

But, as I can see, mysqladmin also tries to set SQL_LOG_OFF=1, and it requires SUPER privilege, as that MySQL bug 57220 says.

If mysqladmin would ignore errors from SET SQL_LOG_OFF=1, wouldn't that be the more native and integrated solution?

Comment by BitSmid [ 2012-11-28 ]

I encountered this bug when I wanted to create a database on somebody else's server. As a developer, I am used to be in full control of the database server, but the issue here is that I want to create all necessary SQL beforehand (so I can test it locally) and send it to the "little privileged" database in one batch. The database is not necessarily accessible from outside or even through networking (or SSH tunnel to 127.0.0.1). I wrote this utility to be able to define a user without a connection during the preparation. If necessary, I could send the entire SQL by email and still not leak any password.

Comment by Sergei Golubchik [ 2012-12-07 ]

Ah, okay. I understand now, thanks.

Generated at Thu Feb 08 06:52:04 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.