major/MySQLTuner-perl

Disclosed password in ps uax output

Opened this issue · 8 comments

Hello,

In certain cases mysqltuner 1.7.0 runs a little bit longer than expected, and in this case a superuser's password can be seen in ps aux output.

root 11718 0.0 0.0 106120 1188 pts/3 S+ 15:19 0:00 sh -c /usr/bin/mysql -u da_admin -psecret -Bse "\wSELECT ENGINE,SUM(DATA_LENGTH+INDEX_LENGTH),COUNT(ENGINE),SUM(DATA_LENGTH),SUM(INDEX_LENGTH) FROM information_schema.TABLES WHERE TABLE_SCHEMA NOT IN ('information_schema', 'performance_schema', 'mysql') AND ENGINE IS NOT NULL GROUP BY ENGINE ORDER BY ENGINE ASC;" 2>>/dev/null

at the same time I can see another query running with a hidden password:

root 11719 0.0 0.0 195900 1832 pts/3 S+ 15:19 0:00 /usr/bin/mysql -u da_admin -px xxxxxx -Bse \wSELECT ENGINE,SUM(DATA_LENGTH+INDEX_LENGTH),COUNT(ENGINE),SUM(DATA_LENGTH),SUM(INDEX_LENGTH) FROM information_schema.TABLES WHERE TABLE_SCHEMA NOT IN ('information_schema', 'performance_schema', 'mysql') AND ENGINE IS NOT NULL GROUP BY ENGINE ORDER BY ENGINE ASC;

Kindly advice.

p.s.
mysqltuner 1.7.0
MySQL version 5.5.53
CentOS release 6.8 (Final)

Regards,
Alex.

Hi @poralix
Thanks for your feedback !
Security is a issue on mysqltuner. You are absolutely right !

This came for command line builder using password in command line.
MysqlTuner is developed for minimum dependency usage (in production for example.)

In order to fix this security issue, prefer use a non privileged user.
Look at the FAQ:
GRANT SELECT, PROCESS,EXECUTE, REPLICATION CLIENT,SHOW DATABASES,SHOW VIEW ON . FOR 'mysqltuner'@'localhost' identified by pwd1234;

Then, use a .my.cnf or .mylogin.cnf solution allow you to keep your password secret.

BR
@jmrenouard

Hello @jmrenouard,

Thank you for your suggestion. I should have mentioned that the issue happens on servers with Directadmin (the hosting panel), which has /usr/local/directadmin/conf/my.cnf by default with superuser username and password. And mysqltuner detects the file automatically by default. I'm sure mysqltuner's community is very big, directadmin has a growing community too, and all admins and users would need to follow the steps and create a secure user... but why does then mysqltuner autodetects the file? Probably it should not detect the file and suggest creating a more secure user?

Regards,
Alex.

Hi @poralix,

We try to build a tool than can be the less intrusive as possible.
So, mysqltuner shouldn't be able to perform admin operation automatically because it can have side effect we can control completely.

Make it run with minimum privileges as possible and if not run it with a already created user.

@jmrenouard

@jmrenouard,

So when I know about the issue I can create an user with minimal privileges, and make myself secured. What about other users who trust mysqltuner and even don't think their password can be hijacked?

Probably you should add a line under Security Recommendations ?! Saying...

Hi directadmin user! We detected that you run mysqltuner with da_admin's credentials taken from /usr/local/directadmin/conf/my.cnf, which might bring to a password discovery! Read link for more details.

Or do I miss anything?

Regards,
Alex.

I have had this section in the README file.

Thanks a lot !

I add a info message related to password diclosure with --pass option.

Hi @poralix

I closed this issue ! The documentation and log in the script have been updated to get security information regarding this issue.

Feel free to reopen it if needed.

Maybe I'm missing something, but I've tried passing both --userenv/--passenv options, and --defaults-file to mysqltuner.pl, and there is still a process running with da_admin and its password visible in the output from ps. What exactly are the correct combination of options to avoid this?