summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGeorg Sauthoff <mail@georg.so>2019-07-22 20:36:50 +0200
committerAnel Husakovic <anel@mariadb.org>2019-12-17 09:52:18 +0100
commitffd541b1a3a42d48d0007cceb04858d74a44ab5f (patch)
tree4f98b49b5de62e77d778c3f86ee0ff9f3805af82
parentc24253d0fa3161b0703630b0fbdcb98d235073a5 (diff)
downloadmariadb-git-bb-10.5-anel-MYSQL_PWD-MDEV-20125.tar.gz
Redact MYSQL_PWD environment variable under Linuxbb-10.5-anel-MYSQL_PWD-MDEV-20125
Under Linux, when using the `mysql` client binary, passing the password via the MYSQL_PWD environment variable is more secure than passing it on the command line with the --password option, because: - the argument vector is world-readable via /proc/$pid/cmdline - although the cmdline password is overwritten by the `mysql` process (with a bunch of `x` characters), there is still a time window after process start and overwrite where the password can be observed by any user - in contrast to that, the environment vector is only readable by the `mysql` invoking user and root But having the password in cleartext easily accesible via /proc/$pid/environ (or via an equivalent ps command) - even for a restricted set of users - for the complete `mysql` client runtime is suboptimal on sensitive systems. As a defense-in-depth measure, this change redacts the MYSQL_PWD environment variable under Linux. Thus, this increases the effort for an attacker to read out the password (in contrast to just being able to read out /proc/$pid/environ). Note that this approach might also be effective on other systems, but I've just tested it on Linux. This change complements how the `mysql` client deals with passwords supplied on the command line (cf. the --password option).
-rw-r--r--client/mysql.cc22
1 files changed, 22 insertions, 0 deletions
diff --git a/client/mysql.cc b/client/mysql.cc
index 4b9abd17268..5f818c9c305 100644
--- a/client/mysql.cc
+++ b/client/mysql.cc
@@ -1116,6 +1116,26 @@ inline int get_command_index(char cmd_char)
return -1;
}
+static void redact_mysql_pwd(void)
+{
+#ifndef DONT_USE_MYSQL_PWD
+ /* defense-in-depth: overwrite password in original environment vector */
+ char *passwd= getenv("MYSQL_PWD");
+ if (passwd)
+ {
+ /* setenv copies passwd, result not visible in /proc/$pid/environ */
+ if (setenv("MYSQL_PWD", passwd, 1) == -1)
+ {
+ put_info("setenv() failed", INFO_ERROR, 0);
+ my_end(0);
+ exit(1);
+ }
+ /* overwrite password in /proc/$pid/environ */
+ memset(passwd, 'x', strlen(passwd));
+ }
+#endif
+}
+
static int delimiter_index= -1;
static int charset_index= -1;
static bool real_binary_mode= FALSE;
@@ -1128,6 +1148,8 @@ int main(int argc,char *argv[])
MY_INIT(argv[0]);
DBUG_ENTER("main");
DBUG_PROCESS(argv[0]);
+
+ redact_mysql_pwd();
charset_index= get_command_index('C');
delimiter_index= get_command_index('d');