[Opendnssec-user] mysql compile-time vs. runtime

Leo Baltus Leo.Baltus at omroep.nl
Mon Mar 17 16:24:45 UTC 2014


Hi,

I just found out that compiling opendnssce with '--with-mysql=$mysql'
does not always results in linking to these libaries but is also used
for finding the runtime mysql-command.

This is rather unexpected.

As a result 'ods-ksmutil setup' now failes at runtime:

sh: /compile/mysql-dynamic-5.1.71-bddb9e96/bin/mysql: No such file or directory
Could not call db setup command:
	/compile/mysql-dynamic-5.1.71-bddb9e96/bin/mysql -u 'sign01' -h sign1adb -P 3306 -p'pwdremoved' sign01db < /software/opendnssec-sign2a-1.4.3-02a2b826/share/opendnssec/database_create.mysql

It obviously tried to run said command, now it reveals my mysql-
password, which is bad, but if this had succeeded I was never aware of
the fact that it revealed the password in the process list.

I think that this is a security-risc, the mysql library/api should have
been linked in rather than a separate fork to the mysql binary.

-- 
Leo Baltus, internetbeheerder
NPO ICT Internet Services
Bart de Graaffweg 2, 1217 ZL Hilversum
servicedesk at omroep.nl, 035-6773555



More information about the Opendnssec-user mailing list