Avoid root password leak to process list
The current procedure of setting the root MySQL password leaks the root password by giving it to the setmysqlpass.sh script on the command line. This means that during the couple of seconds that the script is executing, the password is visible in the process list! Since we're already writing the password in the /root/.my.cnf file, make the setmysqlpass.sh script parse this file to retrieve the password instead of receiving it from a command line argument. Also, in some shells the 'echo' command might appear in the process list. Use a heredoc notation to create the output without using a command. Signed-off-by: Gabriel Filion <lelutin@gmail.com>
This commit is contained in:
parent
fa67257056
commit
e894ddb718
3 changed files with 15 additions and 5 deletions
|
@ -1,12 +1,17 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
test $# -gt 0 || exit 1
|
test -f /root/.my.cnf || exit 1
|
||||||
|
|
||||||
|
rootpw=$(grep password /root/.my.cnf | sed -e 's/^[^=]*= *\(.*\) */\1/')
|
||||||
|
|
||||||
/sbin/service mysqld stop
|
/sbin/service mysqld stop
|
||||||
|
|
||||||
/usr/libexec/mysqld --skip-grant-tables --user=root --datadir=/var/lib/mysql/data --log-bin=/var/lib/mysql/mysql-bin &
|
/usr/libexec/mysqld --skip-grant-tables --user=root --datadir=/var/lib/mysql/data --log-bin=/var/lib/mysql/mysql-bin &
|
||||||
sleep 5
|
sleep 5
|
||||||
echo "USE mysql; UPDATE user SET Password=PASSWORD('$1') WHERE User='root' AND Host='localhost';" | mysql -u root
|
mysql -u root mysql <<EOF
|
||||||
|
UPDATE mysql.user SET Password=PASSWORD('$rootpw') WHERE User='root' AND Host='localhost';
|
||||||
|
FLUSH PRIVILEGES;
|
||||||
|
EOF
|
||||||
killall mysqld
|
killall mysqld
|
||||||
# chown to be on the safe side
|
# chown to be on the safe side
|
||||||
chown mysql.mysql /var/lib/mysql/mysql-bin.*
|
chown mysql.mysql /var/lib/mysql/mysql-bin.*
|
||||||
|
|
|
@ -1,12 +1,17 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
test $# -gt 0 || exit 1
|
test -f /root/.my.cnf || exit 1
|
||||||
|
|
||||||
|
rootpw=$(grep password /root/.my.cnf | sed -e 's/^[^=]*= *\(.*\) */\1/')
|
||||||
|
|
||||||
/etc/init.d/mysql stop
|
/etc/init.d/mysql stop
|
||||||
|
|
||||||
/usr/sbin/mysqld --skip-grant-tables --user=root --datadir=/var/lib/mysql --log-bin=/var/lib/mysql/mysql-bin &
|
/usr/sbin/mysqld --skip-grant-tables --user=root --datadir=/var/lib/mysql --log-bin=/var/lib/mysql/mysql-bin &
|
||||||
sleep 5
|
sleep 5
|
||||||
echo "USE mysql; UPDATE user SET Password=PASSWORD('$1') WHERE User='root' AND Host='localhost';" | mysql -u root
|
mysql -u root mysql <<EOF
|
||||||
|
UPDATE mysql.user SET Password=PASSWORD('$rootpw') WHERE User='root' AND Host='localhost';
|
||||||
|
FLUSH PRIVILEGES;
|
||||||
|
EOF
|
||||||
killall mysqld
|
killall mysqld
|
||||||
sleep 15
|
sleep 15
|
||||||
# chown to be on the safe side
|
# chown to be on the safe side
|
||||||
|
|
|
@ -55,7 +55,7 @@ class mysql::server::base {
|
||||||
}
|
}
|
||||||
|
|
||||||
exec { 'mysql_set_rootpw':
|
exec { 'mysql_set_rootpw':
|
||||||
command => "/usr/local/sbin/setmysqlpass.sh ${mysql_rootpw}",
|
command => '/usr/local/sbin/setmysqlpass.sh',
|
||||||
unless => "mysqladmin -uroot status > /dev/null",
|
unless => "mysqladmin -uroot status > /dev/null",
|
||||||
require => [ File['mysql_setmysqlpass.sh'], Package['mysql-server'] ],
|
require => [ File['mysql_setmysqlpass.sh'], Package['mysql-server'] ],
|
||||||
refreshonly => true,
|
refreshonly => true,
|
||||||
|
|
Loading…
Reference in a new issue