Disclosed password in ps uax output #289

Open
poralix opened this Issue Jan 9, 2017 · 4 comments

Projects

None yet

2 participants

@poralix
poralix commented Jan 9, 2017

Hello,

In certain cases mysqltuner 1.7.0 runs a little bit longer than expected, and in this case a superuser's password can be seen in ps aux output.

root 11718 0.0 0.0 106120 1188 pts/3 S+ 15:19 0:00 sh -c /usr/bin/mysql -u da_admin -psecret -Bse "\wSELECT ENGINE,SUM(DATA_LENGTH+INDEX_LENGTH),COUNT(ENGINE),SUM(DATA_LENGTH),SUM(INDEX_LENGTH) FROM information_schema.TABLES WHERE TABLE_SCHEMA NOT IN ('information_schema', 'performance_schema', 'mysql') AND ENGINE IS NOT NULL GROUP BY ENGINE ORDER BY ENGINE ASC;" 2>>/dev/null

at the same time I can see another query running with a hidden password:

root 11719 0.0 0.0 195900 1832 pts/3 S+ 15:19 0:00 /usr/bin/mysql -u da_admin -px xxxxxx -Bse \wSELECT ENGINE,SUM(DATA_LENGTH+INDEX_LENGTH),COUNT(ENGINE),SUM(DATA_LENGTH),SUM(INDEX_LENGTH) FROM information_schema.TABLES WHERE TABLE_SCHEMA NOT IN ('information_schema', 'performance_schema', 'mysql') AND ENGINE IS NOT NULL GROUP BY ENGINE ORDER BY ENGINE ASC;

Kindly advice.

p.s.
mysqltuner 1.7.0
MySQL version 5.5.53
CentOS release 6.8 (Final)

Regards,
Alex.

@jmrenouard
Collaborator

Hi @poralix
Thanks for your feedback !
Security is a issue on mysqltuner. You are absolutely right !

This came for command line builder using password in command line.
MysqlTuner is developed for minimum dependency usage (in production for example.)

In order to fix this security issue, prefer use a non privileged user.
Look at the FAQ:
GRANT SELECT, PROCESS,EXECUTE, REPLICATION CLIENT,SHOW DATABASES,SHOW VIEW ON . FOR 'mysqltuner'@'localhost' identified by pwd1234;

Then, use a .my.cnf or .mylogin.cnf solution allow you to keep your password secret.

BR
@jmrenouard

@poralix
poralix commented Jan 16, 2017 edited

Hello @jmrenouard,

Thank you for your suggestion. I should have mentioned that the issue happens on servers with Directadmin (the hosting panel), which has /usr/local/directadmin/conf/my.cnf by default with superuser username and password. And mysqltuner detects the file automatically by default. I'm sure mysqltuner's community is very big, directadmin has a growing community too, and all admins and users would need to follow the steps and create a secure user... but why does then mysqltuner autodetects the file? Probably it should not detect the file and suggest creating a more secure user?

Regards,
Alex.

@jmrenouard
Collaborator

Hi @poralix,

We try to build a tool than can be the less intrusive as possible.
So, mysqltuner shouldn't be able to perform admin operation automatically because it can have side effect we can control completely.

Make it run with minimum privileges as possible and if not run it with a already created user.

@jmrenouard

@poralix
poralix commented Jan 16, 2017 edited

@jmrenouard,

So when I know about the issue I can create an user with minimal privileges, and make myself secured. What about other users who trust mysqltuner and even don't think their password can be hijacked?

Probably you should add a line under Security Recommendations ?! Saying...

Hi directadmin user! We detected that you run mysqltuner with da_admin's credentials taken from /usr/local/directadmin/conf/my.cnf, which might bring to a password discovery! Read link for more details.

Or do I miss anything?

Regards,
Alex.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment