| Bug #49848 | space prefixed or trailed passwords not recognized by mysql_secure_installation | ||
|---|---|---|---|
| Submitted: | 21 Dec 2009 14:12 | Modified: | 9 Dec 2016 9:43 |
| Reporter: | Liselore Vermeulen | Email Updates: | |
| Status: | Closed | Impact on me: | |
| Category: | MySQL Server: Installing | Severity: | S3 (Non-critical) |
| Version: | 5.1.39-ndb-7.0.9-cluster | OS: | Any |
| Assigned to: | CPU Architecture: | Any | |
| Tags: | Contribution, mysql_secure_installation password limits | ||
[21 Dec 2009 14:14]
Liselore Vermeulen
further down the code, the line
rootpass=$password;
should be changed to
rootpass="${password}";
to cover this space-enabled password.
This specific line could also break if the password had a space in the middle.
[21 Dec 2009 14:15]
Liselore Vermeulen
and the lines in set_root_password() function:
read password1
and
read password2
would have to be changed to
read -s && password1="${REPLY}";
respectively
read -s && password2="${REPLY}";
[21 Dec 2009 16:27]
Liselore Vermeulen
I discover: the solution proposed, only works with bash. The posix norm does not specify what read without arguments should perform. * or create another way to read the password (not using read) (like a small executable); * or warn the user (when asking for the password) about this limitation (not accepting spaces in password); * or enforce the use of bash (instead of /bin/sh).
[23 Dec 2009 10:03]
Sveta Smirnova
Thank you for the report. This can be fixed by fix for bug #4803. Could you please try this script from upcoming 5.1.42: it should work with cluster binaries as well. You can also try snapshots from http://labs.mysql.com/index.php
[24 Jan 2010 0:00]
Bugs System
No feedback was provided for this bug for over a month, so it is being suspended automatically. If you are able to provide the information that was originally requested, please do so and change the status of the bug back to "Open".
[9 Dec 2016 9:40]
Terje Røsten
Posted by developer:
Fixed by:
commit 2fb9344d2ab546402705e8d7203616d7487f5e35
Author: Vamsikrishna Bhagi <vamsikrishna.bhagi@oracle.com>
Date: Tue Aug 13 21:47:28 2013 +0530
WL#6441 Convert mysql_secure_installation script to C
Description: When using the script mysql_secure_installation script, the script asks for a new password. This (new) password is read by the script, from console, using the function %> read password; this method however trims the entered data. better would be to use %> read -s && varname="${REPLY}"; the read function then reads a complete line from stdin, and on success, varname is assigned this value. How to repeat: enter password starting (or ending or both) with one or more spaces. The script will not protest, and enter the trimmed password in the database, after which the user, unaware of this change in its password, won't be able to access it's administrative account. test the script functionality: #!/bin/bash read -s password <<ENDOFINPUTPROOF prefixed ENDOFINPUTPROOF if [ "${password## }" = "${password}" ]; then echo "${password} is not prefixed by a space even though it was entered like t hat." >&2; fi Suggested fix: use of read function without variable name, and assign $REPLY to variable read -s && password="${REPLY}"; proof: #!/bin/bash read -s <<ENDOFINPUTCORRECT prefixed ENDOFINPUTCORRECT password="${REPLY}"; if [ "${password## }" = "${password}" ]; then echo "${password} is not prefixed by a space even though it was entered like t hat." >&2; else echo "The solution by using read (without var name) reads the complete line."; fi