[Opendnssec-user] mysql compile-time vs. runtime
Merijn van den Kroonenberg
merijn at web2all.nl
Tue Mar 18 13:47:07 UTC 2014
> On 17.3.2014 17:24, Leo Baltus wrote:
>> Hi,
>>
>> I just found out that compiling opendnssce with '--with-mysql=$mysql'
>> does not always results in linking to these libaries but is also used
>> for finding the runtime mysql-command.
>>
>> This is rather unexpected.
>>
>> As a result 'ods-ksmutil setup' now failes at runtime:
>>
>> sh: /compile/mysql-dynamic-5.1.71-bddb9e96/bin/mysql: No such file or
>> directory
>> Could not call db setup command:
>> /compile/mysql-dynamic-5.1.71-bddb9e96/bin/mysql -u 'sign01' -h
>> sign1adb -P 3306 -p'pwdremoved' sign01db <
>> /software/opendnssec-sign2a-1.4.3-02a2b826/share/opendnssec/database_create.mysql
>>
>> It obviously tried to run said command, now it reveals my mysql-
>> password, which is bad, but if this had succeeded I was never aware of
>> the fact that it revealed the password in the process list.
>>
>> I think that this is a security-risc, the mysql library/api should have
>> been linked in rather than a separate fork to the mysql binary.
>
> IMHO from security point of view it is perfectly fine to call external
> binary
> as long as password is not in the parameter list. Typically the password
> is
> passed via stdin or dedicated password file (accessible only by the user
> running command in question).
Actually I think mysql does not expose the -p<password> to the process
list. At least its like that on our systems. (did you check?)
> --
> Petr Spacek @ Red Hat
> _______________________________________________
More information about the Opendnssec-user
mailing list