Bug#984997: marked as done (mariadb-server-10.5: database password passed in cleartext both on commandline and in environment)

Sat, 19 Apr 2025 11:39:16 -0700 

Your message dated Sat, 19 Apr 2025 11:35:46 -0700
with message-id 
<caou6tacnyukhpw1pcz4fokzx3e1p0pyz1r8xkbrjlqh6omf...@mail.gmail.com>
and subject line Re: [debian-mysql] Bug#984997: Bug#984997: Bug#984997: 
Bug#984997: mariadb-server-10.5: database password passed in cleartext both on 
commandline and in environment
has caused the Debian Bug report #984997,
regarding mariadb-server-10.5: database password passed in cleartext both on 
commandline and in environment
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
984997: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984997
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: mariadb-server-10.5
Version: 1:10.5.9-1
Severity: normal

Dear Maintainer,

I had a look at /usr/bin/wsrep_sst_mariabackup, after being a bit
suspicious on how mariadb executes mariabackup for wsrep replication.

I found that the database password is passed in *cleartext* both on the
command line and via the environment.

Neither of these are suitable places for a secret, as both can usually
easily be queried by nonprivileged users.

   * What outcome did you expect instead?

Secrets should never be passwd on the commandline or in the environment.

-- System Information:
Debian Release: 10.8
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'unstable-debug'), (500, 'testing-debug'), 
(500, 'stable-updates'), (500, 'stable-debug'), (500, 'unstable'), (500, 
'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, x32

Kernel: Linux 5.8.18-050818-generic (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages mariadb-server-10.5 depends on:
ii  adduser                   3.118
ii  debconf [debconf-2.0]     1.5.71
pn  galera-4                  <none>
ii  gawk                      1:4.2.1+dfsg-1
ii  iproute2                  5.10.0-4
ii  libc6                     2.30-4
ii  libdbi-perl               1.642-1+deb10u2
ii  libpam0g                  1.3.1-5
ii  libssl1.1                 1.1.1d-0+deb10u2
ii  libstdc++6                10.2.1-6
ii  lsb-base                  11.1.0
ii  lsof                      4.91+dfsg-1
pn  mariadb-client-10.5       <none>
ii  mariadb-common            1:10.3.27-0+deb10u1
pn  mariadb-server-core-10.5  <none>
ii  passwd                    1:4.5-1.1
ii  perl                      5.28.1-6+deb10u1
ii  procps                    2:3.3.15-2
ii  psmisc                    23.2-1
ii  rsync                     3.2.3-4
ii  socat                     1.7.3.2-2
ii  zlib1g                    1:1.2.11.dfsg-1

Versions of packages mariadb-server-10.5 recommends:
ii  libhtml-template-perl  2.97-1

Versions of packages mariadb-server-10.5 suggests:
ii  bsd-mailx [mailx]  8.1.2-0.20180807cvs-1
ii  mailutils [mailx]  1:3.5-4
pn  mariadb-test       <none>
ii  netcat-openbsd     1.195-2

--- End Message ---
--- Begin Message --- 
Hi,

The original bug report was about how /usr/bin/wsrep_sst_mariabackup behaves.

This is an upstream script and not maintained separately in Debian.

No Forwarded tag was recorded in this bug report, but I am pretty sure
this was reported upstream. Contributors are welcome to add
references.

For the scope of Debian, I am closing this bug now as there are no
further actions in Debian.

On Sat, 8 May 2021 at 17:27, Otto Kekäläinen <[email protected]> wrote:
>
> Hello!
>
> If this was fixed in some Galera release, please let me know.
>
> I did not see any Forwarded: line in
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984997
>
> On Tue, 16 Mar 2021 at 00:18, Olaf van der Spek <[email protected]> wrote:
> >
> > On Mon, Mar 15, 2021 at 2:33 PM <[email protected]> wrote:
> > > Speaking of environment, AFAIK on modern systems it can be read only by
> > > sufficiently privileged user, so I don't see how it is less secure than
> > > a file (which will have to have the same permissions as
> > > /proc/<PID>/environ). Could you elaborate how is it less secure than
> > > using --defaults-extra-file?
> >
> > Environment data 'leaks' easier than file contents.
> > For example, when developing / debugging, one could easily copy/paste
> > all environment data, including the password (by accident), and post
> > it online when asking for help.
> >
> > _______________________________________________
> > pkg-mysql-maint mailing list
> > [email protected]
> > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-mysql-maint
>
>
>
> --
> - Otto
>
> _______________________________________________
> pkg-mysql-maint mailing list
> [email protected]
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-mysql-maint

--- End Message ---

Reply via email to