[Mythbuntu-bugs] [Bug 789356] Re: passwords leaked on command line

[Mario Limonciello]

** Changed in: mythtv (Ubuntu)
   Importance: Undecided => Low

-- 
You received this bug notification because you are a member of Mythbuntu
Bug Team, which is subscribed to mythtv in Ubuntu.
https://bugs.launchpad.net/bugs/789356

Title:
  passwords leaked on command line

Status in “mythtv” package in Ubuntu:
  Confirmed

Bug description:
  Binary package hint: mythtv

  Mysql passwords are leaked on the command line, visible by any local
  user running "ps".

  See:
  ./debian/mythtv-database.config:            while ! echo "show databases;" | 
mysql --host="$HOST" --user="$USER" --password="$PASSWORD" >/dev/null 2>&1; do
  ./mythplugins/mythvideo/contrib/videometadata:     echo "UPDATE  
videometadata SET coverfile=\"$THUMB_PATH\"  WHERE filename=\"${DATEI}\" ;" | 
mysql -u $USER --password=$PASSW -D $DATABASE -h $HOST
  ./mythplugins/mythvideo/contrib/videometadata:    echo "UPDATE  videometadata 
SET coverfile=\"$THUMB_PATH\"  WHERE filename=\"${DATEI}\" ;" | mysql -u $USER 
--password=$PASSW -D $DATABASE -h $HOST
  ./mythplugins/mythvideo/contrib/videometadata:echo "UPDATE  videometadata SET 
showlevel=$SHOWLEVEL  WHERE filename LIKE '$RATED_DIR/%' ;" | mysql -u $USER 
--password=$PASSW -D $DATABASE -h $HOST

  and

  ./debian/mythtv-database.postinst:        mysql $SECURITY_INFO $database
  ./debian/mythtv-database.postinst:        mysql $SECURITY_INFO "$database" 
>/dev/null 2>&1; then
  ./debian/mythtv-database.postinst:        mysql $SECURITY_INFO "$database" 
>/dev/null 2>&1; then
  ./debian/mythtv-database.postinst:    SECURITY_INFO="--host=\"$hostname\" 
--user=\"$admin_username\" $admin_password"
  ./debian/mythtv-database.postinst:        mysql $SECURITY_INFO "$database" 
>/dev/null 2>&1; then
  ./debian/mythtv-database.postinst:        mysql $SECURITY_INFO "$database" 
>/dev/null 2>&1; then
  ./debian/mythtv-database.postinst:        
SECURITY_INFO="--defaults-file=/etc/mysql/debian.cnf"
  ./debian/mythtv-database.postinst:        SECURITY_INFO="--host=\"$hostname\" 
--user=\"$admin_username\" $admin_password"
  ./debian/mythtv-database.postinst:    if ! echo "SELECT NULL;" | mysql 
$SECURITY_INFO "$database" >/dev/null 2>&1; then
  ./debian/mythtv-database.postinst:        while ! echo "CREATE DATABASE 
$database;" | mysql $SECURITY_INFO ; do
  ./debian/mythtv-database.postinst:    if ! echo "SELECT value FROM settings 
LIMIT 1, 1;" | mysql $SECURITY_INFO "$database" >/dev/null 2>&1; then

  
  The proper fix is to use a --defaults-file containing the password, per:
   * 
http://dev.mysql.com/doc/refman/5.1/en/option-files.html#option_general_defaults-file

_______________________________________________
Mailing list: https://launchpad.net/~mythbuntu-bugs
Post to     : mythbuntu-bugs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mythbuntu-bugs
More help   : https://help.launchpad.net/ListHelp