Hi,

The help message of the check_mysql plugin clearly tells there is a risk 
to use the -p option, which requires to specify the password on the 
command line. Indeed : any look at the process table while the check is 
being processed would show the password in its plain form.

I tried to use the [client] sections of the MySQL configuration, be them 
either in the system-wide or user's configuration files, which MySQL 
client actually uses, but check_mysql does not seem to use their 
contents. However, tracing a check_mysql run shows that (probably 
because it uses the libmysqlclient library) opens and reads each .cnf 
file of MySQL, even the user's one.

I did not find any documentation regarding this capability. So I do not 
know if it is finally not possible to do this way, if this is a known 
bug being corrected, or if I this is possible but I am doing wrong.

I also found articles on the web talking about the $USERn$ macros. I 
understand that using these would help to secure password storage by 
setting restrictive permissions on the resource configuration files 
defining them, but what about the appearance of the plain password in 
the process list ?

I would very appreciate some explanation and advices by those who 
already faced the same requirements.

Thanks in advance.
Regards,

-- 
Fabien Malfoy
Systems engineer - Ullink
23 rue de Provence - 75009 Paris - FRANCE
Phone: +33 (0)1.44.50.77.55 - 2108
E-mail: fabien DOT malfoy AT ullink DOT com

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a 
definitive record of customers, application performance, security 
threats, fraudulent activity and more. Splunk takes this data and makes 
sense of it. Business sense. IT sense. Common sense.. 
http://p.sf.net/sfu/splunk-d2d-c1
_______________________________________________
Nagios-users mailing list
Nagios-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting 
any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Reply via email to