a classic:

 1195 ?        S      0:00 sh -c mysqldump -hlocalhost -utestcom -p7ptqL9xqL7 -rsites/test.com/database.sql testcom 2>&1
 1200 ?        S      0:00 mysqldump -hlocalhost -utestcom -px xxxxxxxx -rsites/test.com/database.sql testcom

while mysqldump is successful at hiding its password (and even that is breakable since it's available for a short time when starting up, time which extends under load), the calling shell never hides the password, which remains visible during the whole dump.

this obviously needs some fix before release... I think we'll have to play with pipes here...

Comments

anarcat’s picture

anarcat commented
Assigned: Unassigned » anarcat
Status: Active » Needs work

http://dev.mysql.com/doc/refman/5.1/en/password-security-user.html

I find this solution to be the most secure while being moderatly simple to implement:

{ printf '[client]\npassword=%s\n' xxxx |
3<&0 <&4 4<&- mysql --defaults-file=/dev/fd/3 -u myuser
} 4<&0

... of course, the 'printf' here would be done within the calling php process so it wouldn't show up in the process list.

Anonymous’s picture

Anonymous (not verified) commented

The mysql password is leaked in the mysqldump command in the task output of a Backup task in the frontend too (sorry if pointing out the obvious)

anarcat’s picture

anarcat commented

I only found two such locations in the code:

./db_server/backup.provision.inc:  $result = provision_shell_exec("mysqldump -h%s -u%s -p%s -rsites/%s/database.sql %s", drush_get_option('db_host'), 
./db_server/provision_mysql.drush.inc:      if (!provision_shell_exec("mysql -u%s -p%s -h%s %s < %s", $db_user, $db_passwd, $db_host, $db_name, $dump_file )) {

Will fix with proc_open.

anarcat’s picture

anarcat commented

This patch is partial (only backups) and needs testing (works here): http://git.koumbit.net/?p=drupal/modules/provision/.git;a=commitdiff_pla...

Anonymous’s picture

Anonymous (not verified) commented

Applied this first part patch and the second part and backup/restore all working per IRC discussion, no passwords leaked

anarcat’s picture

anarcat commented
Status: Needs work » Fixed

So I committed the fixes that were sitting in git after thorough testing by me and mig5.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

  • Commit d667e58 on debian, dev-dns, dev-envobject, dev-koumbit, dev-log_directory, dev-migrate_aliases, dev-multiserver-install, dev-newhooks, dev-nginx, dev-platform_management, dev-ports, dev-purgebackup, dev-restore, dev-services, dev-simplerinstaller, dev-site_rename, dev-ssl, dev_716166_apache_conf, dev_dns, dev_server_verify, prod-koumbit, ssl, dev-ssl-ip-allocation-refactor, dev-1205458-move_sites_out_of_platforms, 7.x-3.x, dev-subdir-multiserver, 6.x-2.x-backports, dev-helmo-3.x authored by anarcat: 
    #559404 do not display mysql credentials on the commandline