Bug
docker/scripts/demoLibrary.source passes the mariadb root password on the command line to mysqladmin / mysql in stopDemo() (called by restartFarm.sh) and adjacent restart helpers. Once the process is running, the password is visible to any user on the host via ps auxf, /proc/<pid>/cmdline, or similar.
Example, stopDemo() around L110–128 (post-C3b state):
mysqladmin -f -h "${MYSQLIP}" -u root -p"${2}" drop "${1}"
mysqladmin -f -h "${MYSQLIP}" -u root -p"${2}" drop "${1}"_a
...
mysql -f -h "${MYSQLIP}" -u root -p"${2}" -e "DROP USER '${1}';FLUSH PRIVILEGES;"
...
Every mysqladmin/mysql invocation carries -p"${2}" on argv.
Current real-world risk
Low, same reasoning as #155:
- The current
mariadb_root_password value in ip_map_branch.txt col 12 is literally hey for every row, and hey is the documented MYSQL_ROOT_PASSWORD env in demoLibrary.source:174. The value isn't a secret.
- Host access to
ps requires a login on the demo EC2 instance, which is already privileged.
Why fix it anyway
The pattern is a documented anti-pattern (MySQL manual: End-User Guidelines for Password Security). If anyone:
- Sets a per-cluster mariadb root password to a real value in
ip_map_branch.txt, or
- Grants low-privilege shell access to the demo host,
…the leak becomes a real disclosure with no warning, because nothing flags command-line credentials as a bad shape.
Proposed fix
Two mechanically-safe options, either works:
Option A — MYSQL_PWD env var:
MYSQL_PWD="${2}" mysqladmin -f -h "${MYSQLIP}" -u root drop "${1}"
MYSQL_PWD="${2}" mysqladmin -f -h "${MYSQLIP}" -u root drop "${1}"_a
# ...
Keeps the credential out of argv. MYSQL_PWD is still visible via /proc/<pid>/environ but requires the same host access as ps; it's the shape MySQL itself endorses as "the right way" for scripts.
Option B — --defaults-file:
Write the password to a mktemp'd file with 0600 perms, then mysqladmin --defaults-file=/tmp/xxx .... Slightly more setup, no /proc/environ exposure at all.
Severity
Major (pattern), Low (current impact). Same defense-in-depth class as #155.
Related
Source
Rabbit review on PR #157 (docker/scripts/demoLibrary.source:94-118, marked as "pre-existing, not introduced here" nitpick).
Bug
docker/scripts/demoLibrary.sourcepasses the mariadb root password on the command line tomysqladmin/mysqlinstopDemo()(called byrestartFarm.sh) and adjacent restart helpers. Once the process is running, the password is visible to any user on the host viaps auxf,/proc/<pid>/cmdline, or similar.Example,
stopDemo()around L110–128 (post-C3b state):Every
mysqladmin/mysqlinvocation carries-p"${2}"on argv.Current real-world risk
Low, same reasoning as #155:
mariadb_root_passwordvalue inip_map_branch.txtcol 12 is literallyheyfor every row, andheyis the documentedMYSQL_ROOT_PASSWORDenv indemoLibrary.source:174. The value isn't a secret.psrequires a login on the demo EC2 instance, which is already privileged.Why fix it anyway
The pattern is a documented anti-pattern (MySQL manual: End-User Guidelines for Password Security). If anyone:
ip_map_branch.txt, or…the leak becomes a real disclosure with no warning, because nothing flags command-line credentials as a bad shape.
Proposed fix
Two mechanically-safe options, either works:
Option A —
MYSQL_PWDenv var:Keeps the credential out of argv.
MYSQL_PWDis still visible via/proc/<pid>/environbut requires the same host access asps; it's the shape MySQL itself endorses as "the right way" for scripts.Option B —
--defaults-file:Write the password to a
mktemp'd file with 0600 perms, thenmysqladmin --defaults-file=/tmp/xxx .... Slightly more setup, no/proc/environexposure at all.Severity
Major (pattern), Low (current impact). Same defense-in-depth class as #155.
Related
demo_build.shwrites the same mariadb password to$LOG. Same credential value, different code path (persistent log file vs. transient process listing).Source
Rabbit review on PR #157 (
docker/scripts/demoLibrary.source:94-118, marked as "pre-existing, not introduced here" nitpick).