Op 18/03/2014 om 14:47:07 +0100, schreef Merijn van den Kroonenberg: > > On 17.3.2014 17:24, Leo Baltus wrote: > >> Hi, > >> > >> I just found out that compiling opendnssce with '--with-mysql=$mysql' > >> does not always results in linking to these libaries but is also used > >> for finding the runtime mysql-command. > >> > >> This is rather unexpected. > >> > >> As a result 'ods-ksmutil setup' now failes at runtime: > >> > >> sh: /compile/mysql-dynamic-5.1.71-bddb9e96/bin/mysql: No such file or > >> directory > >> Could not call db setup command: > >> /compile/mysql-dynamic-5.1.71-bddb9e96/bin/mysql -u 'sign01' -h > >> sign1adb -P 3306 -p'pwdremoved' sign01db < > >> /software/opendnssec-sign2a-1.4.3-02a2b826/share/opendnssec/database_create.mysql > >> > >> It obviously tried to run said command, now it reveals my mysql- > >> password, which is bad, but if this had succeeded I was never aware of > >> the fact that it revealed the password in the process list. > >> > >> I think that this is a security-risc, the mysql library/api should have > >> been linked in rather than a separate fork to the mysql binary. > > > > IMHO from security point of view it is perfectly fine to call external > > binary > > as long as password is not in the parameter list. Typically the password > > is > > passed via stdin or dedicated password file (accessible only by the user > > running command in question). > > Actually I think mysql does not expose the -p<password> to the process > list. At least its like that on our systems. (did you check?) >
You are right, leo 29636 27850 0 14:57 pts/2 00:00:00 mysql -u sign01 -h sign1adb -P 3306 -px xxxxxx sign01db It's obfuscated by mysql. -- Leo Baltus, internetbeheerder NPO ICT Internet Services Bart de Graaffweg 2, 1217 ZL Hilversum [email protected], 035-6773555 _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
