diff options
| author | Georg Sauthoff <mail@georg.so> | 2019-07-22 20:36:50 +0200 |
|---|---|---|
| committer | Anel Husakovic <anel@mariadb.org> | 2019-12-17 09:52:18 +0100 |
| commit | ffd541b1a3a42d48d0007cceb04858d74a44ab5f (patch) | |
| tree | 4f98b49b5de62e77d778c3f86ee0ff9f3805af82 | |
| parent | c24253d0fa3161b0703630b0fbdcb98d235073a5 (diff) | |
| download | mariadb-git-bb-10.5-anel-MYSQL_PWD-MDEV-20125.tar.gz | |
Redact MYSQL_PWD environment variable under Linuxbb-10.5-anel-MYSQL_PWD-MDEV-20125
Under Linux, when using the `mysql` client binary, passing the
password via the MYSQL_PWD environment variable is more secure
than passing it on the command line with the --password option,
because:
- the argument vector is world-readable via /proc/$pid/cmdline
- although the cmdline password is overwritten by the `mysql`
process (with a bunch of `x` characters),
there is still a time window after process start and overwrite
where the password can be observed by any user
- in contrast to that, the environment vector is only readable by
the `mysql` invoking user and root
But having the password in cleartext easily accesible via
/proc/$pid/environ (or via an equivalent ps command) - even for a
restricted set of users - for the complete `mysql` client
runtime is suboptimal on sensitive systems.
As a defense-in-depth measure, this change redacts the MYSQL_PWD
environment variable under Linux. Thus, this increases the effort
for an attacker to read out the password (in contrast to just
being able to read out /proc/$pid/environ).
Note that this approach might also be effective on other systems,
but I've just tested it on Linux.
This change complements how the `mysql` client deals with
passwords supplied on the command line (cf. the --password option).
| -rw-r--r-- | client/mysql.cc | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/client/mysql.cc b/client/mysql.cc index 4b9abd17268..5f818c9c305 100644 --- a/client/mysql.cc +++ b/client/mysql.cc @@ -1116,6 +1116,26 @@ inline int get_command_index(char cmd_char) return -1; } +static void redact_mysql_pwd(void) +{ +#ifndef DONT_USE_MYSQL_PWD + /* defense-in-depth: overwrite password in original environment vector */ + char *passwd= getenv("MYSQL_PWD"); + if (passwd) + { + /* setenv copies passwd, result not visible in /proc/$pid/environ */ + if (setenv("MYSQL_PWD", passwd, 1) == -1) + { + put_info("setenv() failed", INFO_ERROR, 0); + my_end(0); + exit(1); + } + /* overwrite password in /proc/$pid/environ */ + memset(passwd, 'x', strlen(passwd)); + } +#endif +} + static int delimiter_index= -1; static int charset_index= -1; static bool real_binary_mode= FALSE; @@ -1128,6 +1148,8 @@ int main(int argc,char *argv[]) MY_INIT(argv[0]); DBUG_ENTER("main"); DBUG_PROCESS(argv[0]); + + redact_mysql_pwd(); charset_index= get_command_index('C'); delimiter_index= get_command_index('d'); |