Bug #2271 document that --password is not displayed in process list
Submitted: 3 Jan 2004 12:09 Modified: 3 Jan 2004 15:27
Reporter: Christian Hammers (Silver Quality Contributor) (OCA) Email Updates:
Status: Won't fix Impact on me:
None 
Category:MySQL Server: Documentation Severity:S3 (Non-critical)
Version:all OS:Linux (Debian GNU/Linux)
Assigned to: CPU Architecture:Any

[3 Jan 2004 12:09] Christian Hammers 
Description:
(reference: http://bugs.debian.org/223809)

Another very minor:
Users may supply passwords from the command line, e.g.
        mysql -u foo --password=bar
Fortunately, the clear text password is x'ed out in the output of ps.
It would be nice to drop a word about this in the man page, e.g.
in the OPTIONS section of 'man mysql' after
>       -p|--password[=pwd]
>               Employ the specified password  when  connecting  to
>               the  database  server.   If  a password is not sup?
>               plied, it will be requested interactively.

How to repeat:
look at docs

Suggested fix:
add the following:
>               For security reasons, a password supplied on the
>               command line will be x'ed out and thus not be
>               visible in the output of ps(1).
[3 Jan 2004 15:27] Paul DuBois 
We *cannot* claim that the password is not visible
to ps or other process-status utilities. There is
a window between the time the program is
invoked and the time at which the password is
x'ed out during which the password *is* visible.

This window is very short, true, but it exists.