For mysql-5.7, I verified actual behaviour in xenial, and then upgraded to xenial-proposed. Now the apport report instead says "--- Line containing protected term grant stripped from log by apport hook. Ref. Launchpad bug #1574458" instead of revealing the password as expected.
** Description changed: MySQL has some logic for ensuring passwords aren't written to the logs, detailed at https://dev.mysql.com/doc/refman/5.7/en/password- logging.html (passwords are rewritten before they are logged). However, a failed grant statement is written unaltered to the error log, bypassing the password rewriting logic. [Impact] Ubuntu's bug reporting system will suggest uploading the error log to a bug report. This can lead to user credentials written in plain text in public bug reports. [Test case] (note/todo: I had a simpler test for this, but can't find the exact syntax for it) * Add the following to the server config: plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT and restart the server * Log in and run GRANT ALL ON *.* TO 'user'@'localhost' IDENTIFIED BY '123'; * Observe statement failing because it doesn't follow password validation rules + * Run "ubuntu-bug mysql-server" + * Choose "View Report" + * Search for "123" Expected behavior: - Password is scrambled or otherwise not written to the error log + Password is scrambled or otherwise not written to the apport report Actual behavior: - The entire failed grant statement is written to the error log + The entire failed grant statement is written to the apport report [Regression Potential] The fix replaces all lines in the log that contain any of the terms mentioned on the password-logging site, so it will rewrite more lines than strictly necessary, potentially making debugging harder. - [Original description] Your automated bug reports are posting Logs.var.log.mysql.error.log.txt in clear text. These logs may contain PII as well as user credentials. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1574458 Title: Logs.var.log.mysql.error.log.txt contains usernames and passwords To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb-10.0/+bug/1574458/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
