Bug #76683 Permission denied exception and password exposion from mysql_config_editor path
Submitted: 14 Apr 2015 5:56 Modified: 24 Dec 2016 12:19
Reporter: Shahriyar Rzayev (OCA) Email Updates:
Status: No Feedback Impact on me:
None 
Category:MySQL Utilities Severity:S1 (Critical)
Version:1.5.4 OS:Linux (CentOS 7)
Assigned to: CPU Architecture:Any

[14 Apr 2015 5:56] Shahriyar Rzayev
Description:
Dear experts,
Testing mysqldiskusage with mysql_config_editor secure connection parameters with non-root user:

[fake@centos7 ~]$ mysql_config_editor set --login-path=instance_3306 --host=localhost --user=root --port=3306 --password
Enter password: 

[fake@centos7 ~]$ cat .mylogin.cnf

           
               e��.u�����q5�vQ<�x��
�������7�Jy��_n9 �t��z��{Y��'|��l��WH;��iN �W�Q�~P<�P4���l��WH;��iN�#{���52I�Wn��j

If try to connect as regular user, it will throw permission denied exception:

[fake@centos7 ~]$ mysqldiskusage --server=instance_3306
# Source on localhost: ... connected.
Traceback (most recent call last):
  File "/bin/mysqldiskusage", line 171, in <module>
    diskusage.show_database_usage(servers[0], datadir, args, options)
  File "/usr/lib/python2.7/site-packages/mysql/utilities/command/diskusage.py", line 555, in show_database_usage
    is_remote)
  File "/usr/lib/python2.7/site-packages/mysql/utilities/command/diskusage.py", line 389, in _build_db_list
    dbdir_size = _get_folder_size(os.path.join(datadir, db_dir))
  File "/usr/lib/python2.7/site-packages/mysql/utilities/command/diskusage.py", line 115, in _get_folder_size
    for item in os.listdir(folder):
OSError: [Errno 13] Permission denied: '/var/lib/mysql/data_test'

So there must be some permission check for user (it works with root and mysql users)

But if we use mysqldiskusage as:

[fake@centos7 ~]$ mysqldiskusage --server=instance_3306 `/bin/su - fake`
Password: 
[fake@centos7 ~]$ exit
logout
WARNING: Using a password on the command line interface can be insecure.
# Source on localhost: ... connected.
# Database totals:

Total database disk usage = 0 bytes

#...done.

As you see there is no "Permission Denied" exception.

And there is something interesting -> "WARNING: Using a password on the command line interface can be insecure."...
As you know this warning come up when we type password as cleartext in commandline. In fact we did not type any password we use login-paths method which is a preferred way, as documentation states:

http://dev.mysql.com/doc/mysql-utilities/1.5/en/mysql-utils-intro-connspec-mylogin.cnf.htm...

If we strace user process:

[root@centos7 ~]# x=1; while [ $x = 1 ]; do process=`pgrep -u fake`; if [ $process ]; then x=0; fi;  done; strace -o /tmp/strace.txt -vvtf -s 256  -p $process

3532  10:30:13 stat("/home/fake/.mylogin.cnf", {st_dev=makedev(253, 1), st_ino=15937213, st_mode=S_IFREG|0600, st_nlink=1, st_uid=1004, st_gid
=1004, st_blksize=4096, st_blocks=8, st_size=172, st_atime=2015/04/14-10:21:09, st_mtime=2015/04/14-10:21:02, st_ctime=2015/04/14-10:21:02}) =
 0
3532  10:30:13 open("/home/fake/.mylogin.cnf", O_RDONLY) = 3

3532  10:30:13 write(1, "--user=root\n--password=12345\n--host=localhost\n--port=3306\n", 58) = 58

3526  10:30:13 read(3, "--user=root\n--password=12345\n--host=localhost\n--port=3306\n", 8192) = 58

So the password is exposed as cleartext after using mysqldiskusage and again under this conditions the documentation's(http://dev.mysql.com/doc/mysql-utilities/1.5/en/mysql-utils-intro-connspec-mylogin.cnf.htm...) reason to use mysql_config_editor is not true.
"The best way to specify server connection information is with your .mylogin.cnf file. Not only is this file encrypted, but any logging of the utility execution will not expose the connection information" 

How to repeat:
Install MySQL utilities 1.5.4 from YUM repo on CentOS 7 and repeat steps above.

Suggested fix:
Maybe:
1. User permission check against Python exception.
2. Ofcourse it seems to be related to previous bug:
http://bugs.mysql.com/bug.php?id=76568
[24 Nov 2016 12:19] Chiranjeevi Battula
Hello  Shahriyar,

Thank you for the bug report.
Please could you try latest MySQL Utilities 1.6.4? Let us know if you are still having the issue with complete repeatable steps( version of C/Py, version of MySQL and a sample configuration file , etc. - please make it as private if you prefer) to confirm this issue at our end.

Thanks,
Chiranjeevi.
[25 Dec 2016 1:00] Bugs System
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".