Bug #69044 "mysql_secure_installation" password prompts are escaping backslashes
Submitted: 23 Apr 2013 20:31 Modified: 9 Dec 2016 9:49
Reporter: Krzysztof Nazarewski Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Installing Severity:S3 (Non-critical)
Version:15.1 Distrib 5.5.30-MariaDB OS:Linux (Linux drag0nius.pl 3.8.7-1-ARCH #1 SMP PREEMPT Sat Apr 13 09:01:47 CEST 2013 x86_64 GNU/Linux)
Assigned to: CPU Architecture:Any

[23 Apr 2013 20:31] Krzysztof Nazarewski 
Description:
Basically "mysql_secure_installation" is improperly invoking "read" command using backslash character for escaping.

So basically typing in "1\23" password becomes "123" in the database (in "mysql -p" you will have to type in "123" not "1\23"), typing in "1\\23" the script becomes "1\23" in the database (so only now "1\23" will work in the client).

Some stored hashes data with and without suggested fix:

Patched "1\23"
| root | localhost | *4D617476C30310C15DB73E333FA5CC4E555B3BDA |
Unpached "1\\23":
| root | localhost | *4D617476C30310C15DB73E333FA5CC4E555B3BDA |
Unpached "1\23"
| root | localhost | *23AE809DDACAF96AF0FD78ED04B6A265E05AA257 |

Patched "123"
| root | localhost | *23AE809DDACAF96AF0FD78ED04B6A265E05AA257 |
Unpatched "123"
| root | localhost | *23AE809DDACAF96AF0FD78ED04B6A265E05AA257 |

Patched "1\2\3\"
| root | localhost | *9FB0E6F84609F74C3EAB1A26C41953DE1D133889 |
Unpached "1\\2\\3\\"
| root | localhost | *9FB0E6F84609F74C3EAB1A26C41953DE1D133889 |
Unpached "1\2\3\"
| root | localhost | *23AE809DDACAF96AF0FD78ED04B6A265E05AA257 |

How to repeat:
1. execute "mysql_secure_installation"
2. Type your password
3. Press Enter
5. Press Y (for updating root password)
6. Press Enter
7. Type "1\2\3" on the keyboard
8. press Enter
9. Type "123" on the keyboard
10. Press Enter
...

At this point the script won't complain about anything, because both passwords returned by read command will become "123".

Suggested fix:
vim /usr/bin/mysql_secure_installation
:%s/read pass/read -r pass/g
:wq

Basically add "-r" parameter to all 3 password reading commands.

From "man read":
By default, unless the -r option is specified, backslash ( '\' )  shall act  as  an  escape  character, as described in Escape Character (Back‐slash) .
[23 Apr 2013 20:51] Elena Stepanova 
To MySQL verification team:
Please note that on Ubuntu the whole thing works incorrectly due to https://bugs.launchpad.net/ubuntu/+source/dash/+bug/259671 , it might be quite confusing. Apparently, somewhere inside basic_single_escape where the buggy echo is used, mysql_secure_installation converts a password with a backslash into some rubbish, so it might be problematic to connect to the server afterwards.
[23 Apr 2013 21:30] MySQL Verification Team 
Please check if your are affected by Elena pointed. Thanks.
[26 Apr 2013 15:27] Krzysztof Nazarewski 
I am not affected by anything except that improper invocation of "read" command.
[20 May 2013 12:42] MySQL Verification Team 
Hello  	Krzysztof,

Thank you for the report.
Verified as described.

Thanks,
Umesh
[9 Dec 2016 9:49] Terje Røsten 
Posted by developer:
 
Fixed by:

commit 2fb9344d2ab546402705e8d7203616d7487f5e35
Author: Vamsikrishna Bhagi <vamsikrishna.bhagi@oracle.com>
Date:   Tue Aug 13 21:47:28 2013 +0530

    WL#6441 Convert mysql_secure_installation script to C