Package: mariadb-server-10.5 Version: 1:10.5.9-1 Severity: normal Dear Maintainer,
I had a look at /usr/bin/wsrep_sst_mariabackup, after being a bit suspicious on how mariadb executes mariabackup for wsrep replication. I found that the database password is passed in *cleartext* both on the command line and via the environment. Neither of these are suitable places for a secret, as both can usually easily be queried by nonprivileged users. * What outcome did you expect instead? Secrets should never be passwd on the commandline or in the environment. -- System Information: Debian Release: 10.8 APT prefers stable APT policy: (990, 'stable'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'stable-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, x32 Kernel: Linux 5.8.18-050818-generic (SMP w/8 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages mariadb-server-10.5 depends on: ii adduser 3.118 ii debconf [debconf-2.0] 1.5.71 pn galera-4 <none> ii gawk 1:4.2.1+dfsg-1 ii iproute2 5.10.0-4 ii libc6 2.30-4 ii libdbi-perl 1.642-1+deb10u2 ii libpam0g 1.3.1-5 ii libssl1.1 1.1.1d-0+deb10u2 ii libstdc++6 10.2.1-6 ii lsb-base 11.1.0 ii lsof 4.91+dfsg-1 pn mariadb-client-10.5 <none> ii mariadb-common 1:10.3.27-0+deb10u1 pn mariadb-server-core-10.5 <none> ii passwd 1:4.5-1.1 ii perl 5.28.1-6+deb10u1 ii procps 2:3.3.15-2 ii psmisc 23.2-1 ii rsync 3.2.3-4 ii socat 1.7.3.2-2 ii zlib1g 1:1.2.11.dfsg-1 Versions of packages mariadb-server-10.5 recommends: ii libhtml-template-perl 2.97-1 Versions of packages mariadb-server-10.5 suggests: ii bsd-mailx [mailx] 8.1.2-0.20180807cvs-1 ii mailutils [mailx] 1:3.5-4 pn mariadb-test <none> ii netcat-openbsd 1.195-2
