Hello! Thanks for looking into this and reporting it. Could you be a bit more specific what the context is, who can view the command? How do you suggest the password would be passed?
I added a couple Galera developers as this script is not maintained in Debian, but inherited from upstream Galera project. On Thu, 11 Mar 2021 at 19:48, Marc Lehmann <debian-report...@plan9.de> wrote: > > Package: mariadb-server-10.5 > Version: 1:10.5.9-1 > Severity: normal > > Dear Maintainer, > > I had a look at /usr/bin/wsrep_sst_mariabackup, after being a bit > suspicious on how mariadb executes mariabackup for wsrep replication. > > I found that the database password is passed in *cleartext* both on the > command line and via the environment. > > Neither of these are suitable places for a secret, as both can usually > easily be queried by nonprivileged users. > > * What outcome did you expect instead? > > Secrets should never be passwd on the commandline or in the environment. > > -- System Information: > Debian Release: 10.8 > APT prefers stable > APT policy: (990, 'stable'), (500, 'unstable-debug'), (500, > 'testing-debug'), (500, 'stable-updates'), (500, 'stable-debug'), (500, > 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental') > Architecture: amd64 (x86_64) > Foreign Architectures: i386, x32 > > Kernel: Linux 5.8.18-050818-generic (SMP w/8 CPU threads) > Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, > TAINT_UNSIGNED_MODULE > Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE not > set > Shell: /bin/sh linked to /usr/bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages mariadb-server-10.5 depends on: > ii adduser 3.118 > ii debconf [debconf-2.0] 1.5.71 > pn galera-4 <none> > ii gawk 1:4.2.1+dfsg-1 > ii iproute2 5.10.0-4 > ii libc6 2.30-4 > ii libdbi-perl 1.642-1+deb10u2 > ii libpam0g 1.3.1-5 > ii libssl1.1 1.1.1d-0+deb10u2 > ii libstdc++6 10.2.1-6 > ii lsb-base 11.1.0 > ii lsof 4.91+dfsg-1 > pn mariadb-client-10.5 <none> > ii mariadb-common 1:10.3.27-0+deb10u1 > pn mariadb-server-core-10.5 <none> > ii passwd 1:4.5-1.1 > ii perl 5.28.1-6+deb10u1 > ii procps 2:3.3.15-2 > ii psmisc 23.2-1 > ii rsync 3.2.3-4 > ii socat 1.7.3.2-2 > ii zlib1g 1:1.2.11.dfsg-1 > > Versions of packages mariadb-server-10.5 recommends: > ii libhtml-template-perl 2.97-1 > > Versions of packages mariadb-server-10.5 suggests: > ii bsd-mailx [mailx] 8.1.2-0.20180807cvs-1 > ii mailutils [mailx] 1:3.5-4 > pn mariadb-test <none> > ii netcat-openbsd 1.195-2 > > _______________________________________________ > pkg-mysql-maint mailing list > pkg-mysql-ma...@alioth-lists.debian.net > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-mysql-maint -- - Otto