Every time the root password reset is used we're leaking the password to
the process list. If we use the already present /root/.my.cnf for
credentials then it has the same effect for verification and we avoid
leaking the password.
* EL7 uses mariadb & systemd -> adjust setpasswd script to that
* move the security ensurance to the setpassword script, as it's
easier to ensure that there
To workaround a limitation of the exec provider within puppet, we
do the unless check no within the script itself and ensure that
we use the password there.
https://labs.riseup.net/code/issues/6638
Since this script is rooting the database, it'd be good to use a little
more precaution so that we don't let systems be in an inconsistent case
when crashing.
In cases where the PATH variable is not appropriately set (variable is
empty by default when script is invoked by puppet) the script shuts down
mysql and then is not able to call most commands.
The current procedure of setting the root MySQL password leaks the root
password by giving it to the setmysqlpass.sh script on the command line.
This means that during the couple of seconds that the script is
executing, the password is visible in the process list!
Since we're already writing the password in the /root/.my.cnf file, make
the setmysqlpass.sh script parse this file to retrieve the password
instead of receiving it from a command line argument.
Also, in some shells the 'echo' command might appear in the process
list. Use a heredoc notation to create the output without using a
command.
Signed-off-by: Gabriel Filion <lelutin@gmail.com>
