[debian-mysql] Bug#984997: mariadb-server-10.5: database password passed in cleartext both on commandline and in environment

Marc Lehmann debian-reportbug at plan9.de
Thu Mar 11 17:44:28 GMT 2021 

Package: mariadb-server-10.5
Version: 1:10.5.9-1
Severity: normal

Dear Maintainer,

I had a look at /usr/bin/wsrep_sst_mariabackup, after being a bit
suspicious on how mariadb executes mariabackup for wsrep replication.

I found that the database password is passed in *cleartext* both on the
command line and via the environment.

Neither of these are suitable places for a secret, as both can usually
easily be queried by nonprivileged users.

   * What outcome did you expect instead?

Secrets should never be passwd on the commandline or in the environment.

-- System Information:
Debian Release: 10.8
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'stable-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, x32

Kernel: Linux 5.8.18-050818-generic (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages mariadb-server-10.5 depends on:
ii  adduser                   3.118
ii  debconf [debconf-2.0]     1.5.71
pn  galera-4                  <none>
ii  gawk                      1:4.2.1+dfsg-1
ii  iproute2                  5.10.0-4
ii  libc6                     2.30-4
ii  libdbi-perl               1.642-1+deb10u2
ii  libpam0g                  1.3.1-5
ii  libssl1.1                 1.1.1d-0+deb10u2
ii  libstdc++6                10.2.1-6
ii  lsb-base                  11.1.0
ii  lsof                      4.91+dfsg-1
pn  mariadb-client-10.5       <none>
ii  mariadb-common            1:10.3.27-0+deb10u1
pn  mariadb-server-core-10.5  <none>
ii  passwd                    1:4.5-1.1
ii  perl                      5.28.1-6+deb10u1
ii  procps                    2:3.3.15-2
ii  psmisc                    23.2-1
ii  rsync                     3.2.3-4
ii  socat                     1.7.3.2-2
ii  zlib1g                    1:1.2.11.dfsg-1

Versions of packages mariadb-server-10.5 recommends:
ii  libhtml-template-perl  2.97-1

Versions of packages mariadb-server-10.5 suggests:
ii  bsd-mailx [mailx]  8.1.2-0.20180807cvs-1
ii  mailutils [mailx]  1:3.5-4
pn  mariadb-test       <none>
ii  netcat-openbsd     1.195-2

More information about the pkg-mysql-maint mailing list