[Opendnssec-user] mysql compile-time vs. runtime

Leo Baltus Leo.Baltus at omroep.nl
Tue Mar 18 14:02:53 UTC 2014


Op 18/03/2014 om 14:47:07 +0100, schreef Merijn van den Kroonenberg:
> > On 17.3.2014 17:24, Leo Baltus wrote:
> >> Hi,
> >>
> >> I just found out that compiling opendnssce with '--with-mysql=$mysql'
> >> does not always results in linking to these libaries but is also used
> >> for finding the runtime mysql-command.
> >>
> >> This is rather unexpected.
> >>
> >> As a result 'ods-ksmutil setup' now failes at runtime:
> >>
> >> sh: /compile/mysql-dynamic-5.1.71-bddb9e96/bin/mysql: No such file or
> >> directory
> >> Could not call db setup command:
> >> 	/compile/mysql-dynamic-5.1.71-bddb9e96/bin/mysql -u 'sign01' -h
> >> sign1adb -P 3306 -p'pwdremoved' sign01db <
> >> /software/opendnssec-sign2a-1.4.3-02a2b826/share/opendnssec/database_create.mysql
> >>
> >> It obviously tried to run said command, now it reveals my mysql-
> >> password, which is bad, but if this had succeeded I was never aware of
> >> the fact that it revealed the password in the process list.
> >>
> >> I think that this is a security-risc, the mysql library/api should have
> >> been linked in rather than a separate fork to the mysql binary.
> >
> > IMHO from security point of view it is perfectly fine to call external
> > binary
> > as long as password is not in the parameter list. Typically the password
> > is
> > passed via stdin or dedicated password file (accessible only by the user
> > running command in question).
> 
> Actually I think mysql does not expose the -p<password> to the process
> list. At least its like that on our systems. (did you check?)
> 

You are right,

leo      29636 27850  0 14:57 pts/2    00:00:00 mysql -u sign01 -h sign1adb -P 3306 -px xxxxxx sign01db

It's obfuscated by mysql.

-- 
Leo Baltus, internetbeheerder
NPO ICT Internet Services
Bart de Graaffweg 2, 1217 ZL Hilversum
servicedesk at omroep.nl, 035-6773555



More information about the Opendnssec-user mailing list