[MDEV-8825] mysql_upgrade leaks the admin password when it spawns a shell process to execute mysqlcheck Created: 2015-09-21  Updated: 2015-12-08  Resolved: 2015-12-08

Status: Closed
Project: MariaDB Server
Component/s: Scripts & Clients
Affects Version/s: 5.5, 10.0, 10.1
Fix Version/s: 5.5.47, 10.0.23, 10.1.10

Type: Bug Priority: Major
Reporter: lonetwin Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: upstream-fixed
Environment:

mysql Ver 15.1 Distrib 10.0.19-MariaDB, for Linux (x86_64) using readline 5.1


 Description   

Running mysql_upgrade on a server with a large number of database might take a while. During this time, if any user on the system does a ps axf, the user will see the mysql admin password in plain text:

...
 
 7089 ?        S      0:00  |           \_ /opt/bin/mysql_upgrade -u root -pxxxxxxxx
 
 7224 ?        S      0:00  |               \_ sh -c '/opt/bin/mysqlcheck' '--no-defaults' '--user=root' '--password=GiuxphAI' '--user=root'  '--check-upgrade'
 
 7225 ?        S      0:00  |                   \_ /opt/bin/mysqlcheck --no-defaults --user=root --password=x xxxxxx --user=root --check-upgrade --auto-repair
 
...

So, although the mysqlcheck command itself hides the password in the process listing, it leaks because myslq_upgrade shell out to execute the command. A possible fix (although I don't know anything about mariadb code) is to avoid shell-ing out and doing a fork+exec instead.

 Comments   
Comment by Elena Stepanova [ 2015-09-21 ]

Thanks for the report.

Same with MySQL 5.6, but MySQL 5.7 does it differently.

Comment by Sergei Golubchik [ 2015-12-08 ]

Now mysql_upgrade uses a temporary config file to pass the password and other common arguments to tools. So the command line will only show something like --defaults-file=/tmp/mysql_upgrade-16ECAD7. The temporary file is chmod 600.

Generated at Thu Feb 08 07:30:04 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.