Basic MySQL Security: Providing passwords on the command line

Site Navigation

About me
My pictures on flickr
mylvmbackup
Linux packages
Writings

Quicksearch

Syndicate This Blog

My del.icio.us bookmarks

Tuesday, June 2. 2009

Basic MySQL Security: Providing passwords on the command line

Reading through the comments in Ronald's second post about More Basic MySQL Security, I noticed that there seems to be a misunderstanding about the implications of providing passwords to the mysql command line client via the "-p" option:

Jaka Jančar wrote:

What’s more insecure is passing password as an argument to MySQL, like you’ve written (-p[password]), since that can really be seen by anyone.

Shlomi Noach wrote:

While Linux security is often considered good, an astonishing weakness is “ps aux”, where every user can see every process running. Therefore, even user “games” can see that user root is running “mysql -pmypassword”. I find this a much higher risk than putting the MySQL’s root password in file, where a user need to gain access to machine’s “root”

Well, this isn't actually the case! Try it for yourself and start the MySQL command line client by providing a users's password via the "-p" option:

$ mysql -u root -p<somepassword>
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.1.34 SUSE MySQL RPM

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

root@localhost:(none) >

Now, open a second shell and check the process list:

$ ps aux | grep "mysql -u"
lenz     19357  0.0  0.0   7868  2884 pts/4    S+   12:30   0:00 mysql -u root -px xxxxx

As you can see, the password has been obfuscated by replacing the password with "x" characters. This action is performed by the mysql client after parsing the -p option — let's take a look at the sources:

  case 'p':
    if (argument == disabled_my_option)
      argument= (char*) "";     // Don't require password
    if (argument)
    {
      char *start= argument;
      my_free(opt_password, MYF(MY_ALLOW_ZERO_PTR));
      opt_password= my_strdup(argument, MYF(MY_FAE));
      while (*argument) *argument++= 'x';   // Destroy argument
      if (*start)
  start[1]=0 ;
      tty_password= 0;
    }

In theory, there is a very short window in which the password can be seen in plaintext (after the mysql process has started up until it has performed the obfuscation), but capturing this information takes really good timing.

But it's of course true that this information also gets stored in the user's shell history file, e.g. ~/.bash_history, where it potentially could be seen by other users, if the file permissions are not set up correctly. So always make sure that you entire home directory (or at least the history file) are protected against being read by other users (using chmod/chown appropriately)!

| More...

Posted by Lenz Grimmer in Linux, MySQL at 12:20 | Comments (7) | Trackback (1)

Tags: linux, mysql, security

Trackbacks

Trackback specific URI for this entry

More on MySQL password security
My last post about Basic MySQL Security generated a number of interesting comments, thanks for all your feedback! I'd like to address a few points that were mentioned there: While the problem seems to be a non-issue on Linux, Keith Murphy stated that the

Weblog: Lenz Grimmer's blog
Tracked: Jun 03, 22:45

PingBack

Weblog: www.pythian.com
Tracked: Jun 05, 18:49

PingBack

Weblog: www.pythian.com
Tracked: Jun 05, 22:32

PingBack

Weblog: code.openark.org
Tracked: Jun 08, 09:28

Comments

Display comments as (Linear | Threaded)

In fact this is not a serious security risk: <strong> Your production servers won't have unprivileged shell users on them </strong> Your mysql passwords probably need to be stored in other places anyway * Your mysql passwords are probably known by staff who have left; but your firewalls will stop them from connecting externally anyway.

#1 Mark R (Homepage) on 2009-06-02 15:30 (Reply)

It was true in the past at least with Sys V Unix systems: http://bugs.mysql.com/bug.php?id=11952 I can't verify if it is still true as I don't have access to a Sun box right now and I don't have time to set up a VM. It seems to be an issue with the ps command itself and has nothing to do with MySQL.

#2 Keith Murphy (Homepage) on 2009-06-02 15:53 (Reply)

It's incredible for how long this misconception persists. The bug about the command line password visibility in <strong>ps</strong> was fixed in 2002! And yet, 7 years and and 4 major versions later, the myth of password visibility still lives. Giuseppe

#3 Giuseppe Maxia (Homepage) on 2009-06-02 16:47 (Reply)

I just tested it on my Solaris 10 system and it is still a problem. It has not been fixed for Solaris.

#3.1 Steve Holmes on 2009-07-14 16:44 (Reply)

Just be careful about other tools that do not mask the password, mtop for example

#4 krteQ on 2009-06-02 16:52 (Reply)

I stand corrected in shame and surprise! I'm absolutely certain I've seen this in action recently, but apparently I can't reproduce.

#5 Shlomi Noach (Homepage) on 2009-06-03 06:56 (Reply)

While it is true that MySQL client masks the supplied password, it is still a major security risk, IMHO. Just do this: cat /home/user/.bash_history | grep "mysql" And you'll see the password in plain text...

#6 Jay Pipes (Homepage) on 2009-06-03 19:26 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	Enclosing asterisks marks text as bold (word), underscore are made via _word_. HTML-Tags will be converted to Entities. Standard emoticons like :-) and ;-) are converted to images. E-Mail addresses will not be displayed and will only be used for E-Mail notifications To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry