On 17.3.2014 17:24, Leo Baltus wrote:
Hi,I just found out that compiling opendnssce with '--with-mysql=$mysql' does not always results in linking to these libaries but is also used for finding the runtime mysql-command. This is rather unexpected. As a result 'ods-ksmutil setup' now failes at runtime: sh: /compile/mysql-dynamic-5.1.71-bddb9e96/bin/mysql: No such file or directory Could not call db setup command: /compile/mysql-dynamic-5.1.71-bddb9e96/bin/mysql -u 'sign01' -h sign1adb -P 3306 -p'pwdremoved' sign01db < /software/opendnssec-sign2a-1.4.3-02a2b826/share/opendnssec/database_create.mysql It obviously tried to run said command, now it reveals my mysql- password, which is bad, but if this had succeeded I was never aware of the fact that it revealed the password in the process list. I think that this is a security-risc, the mysql library/api should have been linked in rather than a separate fork to the mysql binary.
IMHO from security point of view it is perfectly fine to call external binary as long as password is not in the parameter list. Typically the password is passed via stdin or dedicated password file (accessible only by the user running command in question).
-- Petr Spacek @ Red Hat _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
