Skip to content

security(demoLibrary): mariadb root password passed via mysqladmin/mysql -p<pass> on cmdline (ps-visible) #158

Description

@bradymiller

Bug

docker/scripts/demoLibrary.source passes the mariadb root password on the command line to mysqladmin / mysql in stopDemo() (called by restartFarm.sh) and adjacent restart helpers. Once the process is running, the password is visible to any user on the host via ps auxf, /proc/<pid>/cmdline, or similar.

Example, stopDemo() around L110–128 (post-C3b state):

mysqladmin -f -h "${MYSQLIP}" -u root -p"${2}" drop "${1}"
mysqladmin -f -h "${MYSQLIP}" -u root -p"${2}" drop "${1}"_a
...
mysql -f -h "${MYSQLIP}" -u root -p"${2}" -e "DROP USER '${1}';FLUSH PRIVILEGES;"
...

Every mysqladmin/mysql invocation carries -p"${2}" on argv.

Current real-world risk

Low, same reasoning as #155:

  • The current mariadb_root_password value in ip_map_branch.txt col 12 is literally hey for every row, and hey is the documented MYSQL_ROOT_PASSWORD env in demoLibrary.source:174. The value isn't a secret.
  • Host access to ps requires a login on the demo EC2 instance, which is already privileged.

Why fix it anyway

The pattern is a documented anti-pattern (MySQL manual: End-User Guidelines for Password Security). If anyone:

  • Sets a per-cluster mariadb root password to a real value in ip_map_branch.txt, or
  • Grants low-privilege shell access to the demo host,

…the leak becomes a real disclosure with no warning, because nothing flags command-line credentials as a bad shape.

Proposed fix

Two mechanically-safe options, either works:

Option A — MYSQL_PWD env var:

MYSQL_PWD="${2}" mysqladmin -f -h "${MYSQLIP}" -u root drop "${1}"
MYSQL_PWD="${2}" mysqladmin -f -h "${MYSQLIP}" -u root drop "${1}"_a
# ...

Keeps the credential out of argv. MYSQL_PWD is still visible via /proc/<pid>/environ but requires the same host access as ps; it's the shape MySQL itself endorses as "the right way" for scripts.

Option B — --defaults-file:

Write the password to a mktemp'd file with 0600 perms, then mysqladmin --defaults-file=/tmp/xxx .... Slightly more setup, no /proc/environ exposure at all.

Severity

Major (pattern), Low (current impact). Same defense-in-depth class as #155.

Related

Source

Rabbit review on PR #157 (docker/scripts/demoLibrary.source:94-118, marked as "pre-existing, not introduced here" nitpick).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions