[debian-mysql] Bug#984997: Bug#984997: mariadb-server-10.5: database password passed in cleartext both on commandline and in environment

Otto Kekäläinen otto at debian.org
Thu Mar 11 19:49:03 GMT 2021 

Hello!

Thanks for looking into this and reporting it. Could you be a bit more
specific what the context is, who can view the command? How do you
suggest the password would be passed?

I added a couple Galera developers as this script is not maintained in
Debian, but inherited from upstream Galera project.


On Thu, 11 Mar 2021 at 19:48, Marc Lehmann <debian-reportbug at plan9.de> wrote:
>
> Package: mariadb-server-10.5
> Version: 1:10.5.9-1
> Severity: normal
>
> Dear Maintainer,
>
> I had a look at /usr/bin/wsrep_sst_mariabackup, after being a bit
> suspicious on how mariadb executes mariabackup for wsrep replication.
>
> I found that the database password is passed in *cleartext* both on the
> command line and via the environment.
>
> Neither of these are suitable places for a secret, as both can usually
> easily be queried by nonprivileged users.
>
>    * What outcome did you expect instead?
>
> Secrets should never be passwd on the commandline or in the environment.
>
> -- System Information:
> Debian Release: 10.8
>   APT prefers stable
>   APT policy: (990, 'stable'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'stable-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386, x32
>
> Kernel: Linux 5.8.18-050818-generic (SMP w/8 CPU threads)
> Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
> Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE not set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages mariadb-server-10.5 depends on:
> ii  adduser                   3.118
> ii  debconf [debconf-2.0]     1.5.71
> pn  galera-4                  <none>
> ii  gawk                      1:4.2.1+dfsg-1
> ii  iproute2                  5.10.0-4
> ii  libc6                     2.30-4
> ii  libdbi-perl               1.642-1+deb10u2
> ii  libpam0g                  1.3.1-5
> ii  libssl1.1                 1.1.1d-0+deb10u2
> ii  libstdc++6                10.2.1-6
> ii  lsb-base                  11.1.0
> ii  lsof                      4.91+dfsg-1
> pn  mariadb-client-10.5       <none>
> ii  mariadb-common            1:10.3.27-0+deb10u1
> pn  mariadb-server-core-10.5  <none>
> ii  passwd                    1:4.5-1.1
> ii  perl                      5.28.1-6+deb10u1
> ii  procps                    2:3.3.15-2
> ii  psmisc                    23.2-1
> ii  rsync                     3.2.3-4
> ii  socat                     1.7.3.2-2
> ii  zlib1g                    1:1.2.11.dfsg-1
>
> Versions of packages mariadb-server-10.5 recommends:
> ii  libhtml-template-perl  2.97-1
>
> Versions of packages mariadb-server-10.5 suggests:
> ii  bsd-mailx [mailx]  8.1.2-0.20180807cvs-1
> ii  mailutils [mailx]  1:3.5-4
> pn  mariadb-test       <none>
> ii  netcat-openbsd     1.195-2
>
> _______________________________________________
> pkg-mysql-maint mailing list
> pkg-mysql-maint at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-mysql-maint



-- 
- Otto

More information about the pkg-mysql-maint mailing list