← Back to team overview

mythbuntu-bugs team mailing list archive

  1. mythbuntu-bugs team
  2. Mailing list archive
  3. Message #04959

[Bug 789356] Re: passwords leaked on command line

  Thread PreviousDate PreviousThread Next 
** Visibility changed to: Public

** Changed in: mythtv (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Mythbuntu
Bug Team, which is subscribed to mythtv in Ubuntu.
https://bugs.launchpad.net/bugs/789356

Title:
  passwords leaked on command line

Status in “mythtv” package in Ubuntu:
  Confirmed

Bug description:
  Binary package hint: mythtv

  Mysql passwords are leaked on the command line, visible by any local
  user running "ps".

  See:
  ./debian/mythtv-database.config:            while ! echo "show databases;" | mysql --host="$HOST" --user="$USER" --password="$PASSWORD" >/dev/null 2>&1; do
  ./mythplugins/mythvideo/contrib/videometadata:     echo "UPDATE  videometadata SET coverfile=\"$THUMB_PATH\"  WHERE filename=\"${DATEI}\" ;" | mysql -u $USER --password=$PASSW -D $DATABASE -h $HOST
  ./mythplugins/mythvideo/contrib/videometadata:    echo "UPDATE  videometadata SET coverfile=\"$THUMB_PATH\"  WHERE filename=\"${DATEI}\" ;" | mysql -u $USER --password=$PASSW -D $DATABASE -h $HOST
  ./mythplugins/mythvideo/contrib/videometadata:echo "UPDATE  videometadata SET showlevel=$SHOWLEVEL  WHERE filename LIKE '$RATED_DIR/%' ;" | mysql -u $USER --password=$PASSW -D $DATABASE -h $HOST

  and

  ./debian/mythtv-database.postinst:        mysql $SECURITY_INFO $database
  ./debian/mythtv-database.postinst:        mysql $SECURITY_INFO "$database" >/dev/null 2>&1; then
  ./debian/mythtv-database.postinst:        mysql $SECURITY_INFO "$database" >/dev/null 2>&1; then
  ./debian/mythtv-database.postinst:    SECURITY_INFO="--host=\"$hostname\" --user=\"$admin_username\" $admin_password"
  ./debian/mythtv-database.postinst:        mysql $SECURITY_INFO "$database" >/dev/null 2>&1; then
  ./debian/mythtv-database.postinst:        mysql $SECURITY_INFO "$database" >/dev/null 2>&1; then
  ./debian/mythtv-database.postinst:        SECURITY_INFO="--defaults-file=/etc/mysql/debian.cnf"
  ./debian/mythtv-database.postinst:        SECURITY_INFO="--host=\"$hostname\" --user=\"$admin_username\" $admin_password"
  ./debian/mythtv-database.postinst:    if ! echo "SELECT NULL;" | mysql $SECURITY_INFO "$database" >/dev/null 2>&1; then
  ./debian/mythtv-database.postinst:        while ! echo "CREATE DATABASE $database;" | mysql $SECURITY_INFO ; do
  ./debian/mythtv-database.postinst:    if ! echo "SELECT value FROM settings LIMIT 1, 1;" | mysql $SECURITY_INFO "$database" >/dev/null 2>&1; then

  
  The proper fix is to use a --defaults-file containing the password, per:
   * http://dev.mysql.com/doc/refman/5.1/en/option-files.html#option_general_defaults-file
  Thread PreviousDate PreviousThread Next