Bug #6343 Passwords on commandline can be read via /proc/<pid>/cmdline
Submitted: 31 Oct 2004 11:26 Modified: 2 Nov 2004 2:54
Reporter: Christian Hammers (Silver Quality Contributor) (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S4 (Feature request)
Version:all OS:Any (all)
Assigned to: CPU Architecture:Any

[31 Oct 2004 11:26] Christian Hammers
Description:
Reported as Debian bug report by Jan Minar <jjminar@fastmail.fm> http://bugs.debian.org/278955

The

	$ mysqladmin <old-password> <new-password>

syntax, as specified both in the --help output & the manpage, will
reveal both passwords to the world in /proc/<pid>/cmdline.  Even if
mysqladmin does overwrite the passwords (as it probably does) just few
instructions after its start, there still is a attack window open until
this happens.

This functionality can be removed altogether, as there are alternative
ways to do the same thing.  Later, it can be re-implemented reading from
the tty or specified fd (cf. passwd(1), losetup(8)).

How to repeat:

root@shell1# while true; do mysqladmin password test234 ; done

normaluser@shell2$ while true; do fgrep -a pass /proc/[0-9]*/cmdline 2>/dev/null; done
/proc/21566/cmdline:mysqladminpasswordtest234
/proc/21566/cmdline:mysqladminpasswordtest234
/proc/21566/cmdline:mysqladminpasswordtest234
/proc/21600/cmdline:mysqladminpasswordtest234
/proc/21600/cmdline:mysqladminpasswordtest234
/proc/21600/cmdline:mysqladminpasswordtest234
/proc/21600/cmdline:mysqladminpasswordtest234
/proc/21600/cmdline:mysqladminpasswordtest234
/proc/21600/cmdline:mysqladminpasswordtest234
/proc/21632/cmdline:mysqladminpasswordtest234

Suggested fix:
- Remove any "password" options from any command line clients.
- Accept passwords only via tty, fd, stdin or .my.cnf
[2 Nov 2004 2:54] Matthew Lord
Hi,

Thank you for your bug report!

This is documented behavior so I changed the severity to feature request.  This is
something to be debated.  Thanks again!
http://dev.mysql.com/doc/mysql/en/Password_security.html

" Use a -pyour_pass or --password=your_pass option on the command line. For example:
shell> mysql -u francis -pfrank db_name

This is convenient but insecure, because your password becomes visible to system status 
programs such as ps that may be invoked by other users to display command lines. MySQL 
clients typically overwrite the command-line password argument with zeros during their 
initialization sequence, but there is still a brief interval during which the value is visible.
Use a -p or --password option with no password value specified. In this case, the client program 
solicits the password from the terminal:
shell> mysql -u francis -p db_name
Enter password: ********

The `*' characters indicate where you enter your password. The password is not displayed as 
you enter it.  It is more secure to enter your password this way than to specify it on the 
command line because it is not visible to other users. However, this method of entering a 
password is suitable only for programs that you run interactively. If you want to invoke a client 
from a script that runs non-interactively, there is no opportunity to enter the password from the 
terminal. On some systems, you may even find that the first line of your script is read and 
interpreted (incorrectly) as your password!"
[2 Nov 2004 23:07] Christian Hammers
warn-CLI-passwords.diff

Attachment: warn-CLI-passwords.diff (text/plain), 19.09 KiB.

[2 Nov 2004 23:09] Christian Hammers
Hello

I added a patch for 4.0.22 that at least adds warnings to the manpages and --help output of all relevant client binaries and scripts I found.

bye,

-christian-
[15 Nov 2004 3:28] [ name withheld ]
This is a design error, not a programming error.  It's no way a feature request, as the consequences can be severe.

If you disagree, please disprove that:

(1) The status quo leads substantial percentage of the MySQL users giving out their credentials to other users on the system

(2) There are many systems where this actually matters, as these systems use the traditional UNIX security model, are multiuser, and the users don't necessarily trust each other

(3) The users specifying the password on the commandline currently would stop doing this if they learnt this means they're giving their credentials away, or would find another way of securing the session.

Documenting this behaviour solves:

(4) This is an unexpected behaviour, the users are lured into expecting a security and confidentiality, whilst there is none.  False security is far worse than no security.

--
Jan Minar <jjminar at fastmail fm>