[Opendnssec-user] mysql compile-time vs. runtime
Petr Spacek
pspacek at redhat.com
Tue Mar 18 13:35:30 UTC 2014
On 17.3.2014 17:24, Leo Baltus wrote:
> Hi,
>
> I just found out that compiling opendnssce with '--with-mysql=$mysql'
> does not always results in linking to these libaries but is also used
> for finding the runtime mysql-command.
>
> This is rather unexpected.
>
> As a result 'ods-ksmutil setup' now failes at runtime:
>
> sh: /compile/mysql-dynamic-5.1.71-bddb9e96/bin/mysql: No such file or directory
> Could not call db setup command:
> /compile/mysql-dynamic-5.1.71-bddb9e96/bin/mysql -u 'sign01' -h sign1adb -P 3306 -p'pwdremoved' sign01db < /software/opendnssec-sign2a-1.4.3-02a2b826/share/opendnssec/database_create.mysql
>
> It obviously tried to run said command, now it reveals my mysql-
> password, which is bad, but if this had succeeded I was never aware of
> the fact that it revealed the password in the process list.
>
> I think that this is a security-risc, the mysql library/api should have
> been linked in rather than a separate fork to the mysql binary.
IMHO from security point of view it is perfectly fine to call external binary
as long as password is not in the parameter list. Typically the password is
passed via stdin or dedicated password file (accessible only by the user
running command in question).
--
Petr Spacek @ Red Hat
More information about the Opendnssec-user
mailing list