Bug #69078 mysql_upgrade incorrectly reports about insecure password usage
Submitted: 26 Apr 2013 6:25 Modified: 9 Dec 2016 10:07
Reporter: Simon Mudd (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Installing Severity:S3 (Non-critical)
Version:5.6.11 OS:Any
Assigned to: CPU Architecture:Any

[26 Apr 2013 6:25] Simon Mudd 
Description:
Upgrading 5.5.23 to 5.6.11 I see this while running mysql_upgrade:

Running 'mysqlcheck' with connection arguments: '--socket=/path/to/mysql.sock' '--socket=/path/to/mysql.sock' 
Warning: Using a password on the command line interface can be insecure.

However, I did not pass a password on the command line. Access to this server is configured via a ~/.my.cnf file which does have the password so the message that's given is wrong or needs adjusting.

How to repeat:
Create a ~/.my.cnf config file for access to MySQL with the following credentials:

[client]
user=user_that_runs_mysql_upgade
socket=/path/to/mysql.sock
password=some_password

Notice how when you run mysql_upgrade without any parameters how you get this message.

Suggested fix:
If no password is provided on the command line don't produce this message. The description is wrong. If you want to suggest that the password is not stored in the ~/.my.cnf word the warning differently.

Not critical obviously but if you want to complain about user behaviour do so correctly.
[26 Apr 2013 12:14] Arnaud Adant 
Hi Simon,

I agree that the message is a bit misleading. It can even happen using the --skip-password option. So the message should be fixed. Verified bug. Thanks for reporting this.

Best regards,

Arnaud Adant
[9 Dec 2016 10:07] Terje Røsten 
Posted by developer:
 
Fixed by:

commit 1ea460a939bdda1385c448c1bf10fdef3a1a0d66
Author: Marcin Babij <marcin.babij@oracle.com>
Date:   Fri Aug 8 13:53:52 2014 +0200

    WL#7308: Refactor mysql_upgrade
    
    mysql_upgrade should not call other applications by command line (as it makes password being visible).