[debian-mysql] Bug#984997: Bug#984997: mariadb-server-10.5: database password passed in cleartext both on commandline and in environment
Marc Lehmann
schmorp at schmorp.de
Sun Mar 14 11:20:02 GMT 2021
On Thu, Mar 11, 2021 at 09:49:03PM +0200, Otto Kekäläinen <otto at debian.org> wrote:
> Thanks for looking into this and reporting it. Could you be a bit more
> specific what the context is, who can view the command?
This is a rather old and wlel-known type of security issue.
Typically any local user can view the password. This data is also often
exposed in monitoring output, http status pages, smtp and so on.
The comandline and environment are simply the wrong places to expose
secret data - passwords should never be shown on screen in cleartext.
(That includes the environment, btw. storing secrets in environment
variables is similarly insecure).
> How do you suggest the password would be passed?
The typical method that is employed in practise is passing it via a file
descriptor. A bit less secure is using a (non-world-readable) file, e.g.
using --defaults-extra-file.
--
The choice of a Deliantra, the free code+content MORPG
-----==- _GNU_ http://www.deliantra.net
----==-- _ generation
---==---(_)__ __ ____ __ Marc Lehmann
--==---/ / _ \/ // /\ \/ / schmorp at schmorp.de
-=====/_/_//_/\_,_/ /_/\_\
More information about the pkg-mysql-maint
mailing list