Bug #11952 Client shows passwords passed on command line
Submitted: 14 Jul 2005 21:29 Modified: 3 Aug 2005 21:14
Reporter: Vito Munoz Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version:4.1.12 OS:Solaris (Solaris 9)
Assigned to: Bugs System CPU Architecture:Any

[14 Jul 2005 21:29] Vito Munoz
Description:
When starting the mysql client with user name and password, a listing of the process table shows the password in clear text.

I feel this is a Client problem not a Server, but there is not a MySQL client category listed.

How to repeat:
start client with

mysql -u root -pmysecretpassword

in another window on same system get a process list
ps -ef | grep mysql

mysql01@usplsbt083>/u01/app/mysql01> ps -ef | grep mysql
 mysql01 12859 12690  0 16:00:38 pts/2    0:00 mysql -u root -pmysecretpassword
 mysql01 12812     1  0 15:59:20 pts/2    0:00 /bin/sh /u01/app/mysql01/mysql/bin/mysqld_safe --datadir=/u01/app/mysql01/mysql
 mysql01 12690 12688  0 15:50:42 pts/2    0:00 -ksh
 mysql01 12829 12812  0 15:59:20 pts/2    0:00 /u01/app/mysql01/mysql-standard-4.1.12-sun-solaris2.9-sparc-64bit/bin/mysqld --
 mysql01 11258 11255  0 13:54:49 pts/1    0:00 -ksh
 mysql01 12868 11258  0 16:01:42 pts/1    0:00 ps -ef

Suggested fix:
On previous versions of mysql 4.0.24 Linux, this does not happen.
it shows up in the process table as 

mysql -u root -px xxxxx

I suggest that code is moved into this branch.
[14 Jul 2005 22:06] MySQL Verification Team
I was unable to repeat this issue on Slackware 10.1:

mysql> grant all on *.* to 'notsecret'@'localhost' identified by 'nosecret';
Query OK, 0 rows affected (0.08 sec)

mysql> exit
Bye

miguel@hegel:~/dbs/4.1$ bin/mysql -unotsecret -pnosecret
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4 to server version: 4.1.13-debug-log

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> 

miguel@hegel:~$ ps -ef | grep mysql
<cut>
miguel    1993  1984  0 13:46 pts/2    00:00:00 libexec/mysqld
miguel   17702  1764  0 18:57 pts/3    00:00:00 bin/mysql -unotsecret -px xxxxxx
miguel   17703  1984  0 18:57 pts/2    00:00:00 libexec/mysqld
miguel   17722 17708  0 18:58 pts/5    00:00:00 grep mysql
[14 Jul 2005 22:25] Timothy Smith
Here is the verification:

mysqldev@sunfire100b:~/tsmith/mysql-classic-4.1.13-sun-solaris2.9-sparc> ./bin/mysql -pabcde test -Sdata/mysql.sock
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3 to server version: 4.1.13-classic

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> 
[3]+  Stopped                 ./bin/mysql -pabcde test -Sdata/mysql.sock
mysqldev@sunfire100b:~/tsmith/mysql-classic-4.1.13-sun-solaris2.9-sparc> ps -ef|grep sock
mysqldev 11903 11817  0 00:23:33 pts/1    0:00 ./bin/mysql -pabcde test -Sdata/mysql.sock
mysqldev@sunfire100b:~/tsmith/mysql-classic-4.1.13-sun-solaris2.9-sparc>
[14 Jul 2005 22:39] Jim Winstead
This likely depends on which version of 'ps' you run -- the BSDish flavor in /usr/ucb/ps will probably not show the password (it will be x'd out), but the SysVish flavor in /usr/bin will.

Some systems provide a setproctitle() to reset the process title, but a quick glance at Solaris man pages suggests that it is not one of them.
[25 Jul 2005 23:30] Patrick Galbraith
I have debugged the client and seen how it sets the password to all 'x's:

line 849, client.cc: while (*argument) *argument++= 'x';               // Destroy argumen

*argument is a pointer to argv, so all that's beeing done is to write 'x's for each character of the password. For BSD, this 'x's out the value for ps, but on SysV, it doesn't seem to change what ps has access to. A simple program:

int main(int argc,char **argv)
{
  char *ptr;
  int argc_bak= argc;

  for (; argc > 0; argc--)
    printf("arg %d value %s\n", argc-1, argv[argc-1]);

  argc=argc_bak;
  for (; argc > 0; argc--)
  {
    if (argc-1 > 0)
      for (ptr=argv[argc-1]; *ptr; ptr++)
        *ptr= 'x';
  }
  argc=argc_bak;
  for (; argc > 0; argc--)
    printf("arg %d value %s\n", argc-1, argv[argc-1]);

  while(1) {}

  return(0);
}

On Mac OSX (a BSD variant):

radha:~/code patg$ ./args aaa bbb ccc
basic arg checking program with 4 args...
arg 3 value ccc
arg 2 value bbb
arg 1 value aaa
arg 0 value ./args
arg 3 value xxx
arg 2 value xxx
arg 1 value xxx
arg 0 value ./args

radha:~/mysql-build/mysql-5.0.clean/client patg$ ps aux|grep args
patg    5404  56.0  0.1    36720    824  p4  R+    1:21AM   2:07.98 ./args xxx xxx xxx

Yet on sunfire280:

bash-2.05$ ./args sjsj sjsj lll
basic arg checking program with 4 args...
arg 0 value ./args
arg 1 value sjsj
arg 2 value sjsj
arg 3 value lll
arg 0 value ./args
arg 1 value xxxx
arg 2 value xxxx
arg 3 value xxx

bash-2.05$ ps -ef|grep args
mysqldev  30358  30338 50 00:59:35 pts/1   28:51 ./args sjsj sjsj lll

The question is then: can we at all blank out the argv values ps has access to on Sys V?
[26 Jul 2005 0:49] Patrick Galbraith
This issue cannot be fixed because I've found that Sys V, even if you write over argv, will not overwrite the entry in the processlist. The processlist is stored in /proc:

bash-2.05$ ps -ef|grep args
mysqldev  30462  30450 50 02:09:49 pts/1   36:24 ./args sjsj sjsj lll
mysqldev  89203  30377  0 02:46:20 pts/2    0:00 grep args
bash-2.05$ cat /proc/30462/psinfo 
v˛vÚv˛vÚff»`?π
               BÂ_L*{'8Cargs./args sjsj sjsj lllˇø˙ˇø˙∞≠Oc2?πBÂ_8CTSˇˇˇˇˇˇˇˇbash-2.05$ 

From what I can tell by everything I've examined, is that this is added prior to the program running and argv being changed. I found this link informational:

http://www.erlenstar.demon.co.uk/unix/faq_2.html#SEC17

So, my suggestion is that if you are running SysV-based UNIX, don't use -ppassword, and this should be documented.
[3 Aug 2005 21:14] Mike Hillyer
I have added a note to the documentation that the password should not be specified on the command-line for SysV-based UNIX systems.