From e894ddb718fc17f8d541d1b9fcb5ecb2107ade20 Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Tue, 14 Dec 2010 12:10:54 -0500 Subject: [PATCH] Avoid root password leak to process list The current procedure of setting the root MySQL password leaks the root password by giving it to the setmysqlpass.sh script on the command line. This means that during the couple of seconds that the script is executing, the password is visible in the process list! Since we're already writing the password in the /root/.my.cnf file, make the setmysqlpass.sh script parse this file to retrieve the password instead of receiving it from a command line argument. Also, in some shells the 'echo' command might appear in the process list. Use a heredoc notation to create the output without using a command. Signed-off-by: Gabriel Filion --- files/scripts/CentOS/setmysqlpass.sh | 9 +++++++-- files/scripts/Debian/setmysqlpass.sh | 9 +++++++-- manifests/server/base.pp | 2 +- 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/files/scripts/CentOS/setmysqlpass.sh b/files/scripts/CentOS/setmysqlpass.sh index d762a20..01d8fbf 100644 --- a/files/scripts/CentOS/setmysqlpass.sh +++ b/files/scripts/CentOS/setmysqlpass.sh @@ -1,12 +1,17 @@ #!/bin/sh -test $# -gt 0 || exit 1 +test -f /root/.my.cnf || exit 1 + +rootpw=$(grep password /root/.my.cnf | sed -e 's/^[^=]*= *\(.*\) */\1/') /sbin/service mysqld stop /usr/libexec/mysqld --skip-grant-tables --user=root --datadir=/var/lib/mysql/data --log-bin=/var/lib/mysql/mysql-bin & sleep 5 -echo "USE mysql; UPDATE user SET Password=PASSWORD('$1') WHERE User='root' AND Host='localhost';" | mysql -u root +mysql -u root mysql < "/usr/local/sbin/setmysqlpass.sh ${mysql_rootpw}", + command => '/usr/local/sbin/setmysqlpass.sh', unless => "mysqladmin -uroot status > /dev/null", require => [ File['mysql_setmysqlpass.sh'], Package['mysql-server'] ], refreshonly => true,