bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Aw: Chained command prints password in Clear Text and breaks BASH Sessio


From: John Kearney
Subject: Aw: Chained command prints password in Clear Text and breaks BASH Session until logout
Date: Thu, 11 Jul 2013 19:47:47 +0200 (CEST)

   This isn't a but in bash.
   firstly once a program is started it takes over the input so the fact
   that your password is echoed to the terminal is because myspl allows it
   not bash, and in mysql defense this is the normal behaviour for command
   line tools.

   Secondly both mysqldump  and mysql start at the same time and can
   potentially be reading the password also at the same time.
   on some systems and for some apps it could happen that.

   password for mysqldump p1234
   password for mysql          p5678

   the way you are staring them you could potentially end up with

   mysqldump getting p5274
   mysql getting  p1638

   basically you should give the password on the command line to mysql.
   something like
   read -sp "Password:" Password
   mysqldump -u someuser --password ${Password} -p somedb | mysql -u
   someuser --password ${Password} -p -D someotherdb

   Gesendet: Mittwoch, 10. Juli 2013 um 23:54 Uhr
   Von: "Jason Sipula" <alupis1@gmail.com>
   An: bug-bash@gnu.org
   Betreff: Chained command prints password in Clear Text and breaks BASH
   Session until logout
   Configuration Information [Automatically generated, do not change]:
   Machine: x86_64
   OS: linux-gnu
   Compiler: gcc
   Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64'
   -DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-redhat-linux-gnu'
   -DCONF_VENDOR='redhat' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash'
   -DSHELL -DHAVE_CONFIG_H -I. -I. -I./include -I./lib -D_GNU_SOURCE
   -DRECYCLES_PIDS -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
   -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fwrapv
   uname output: Linux appsrv01.js.local 2.6.32-358.6.1.el6.x86_64 #1 SMP
   Tue
   Apr 23 19:29:00 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
   Machine Type: x86_64-redhat-linux-gnu
   Bash Version: 4.1
   Patch Level: 2
   Release Status: release
   Description:
   Reproducible from both an SSH session as well as directly at the
   console.
   On BASH 4.1.x (4.1.2) running under CentOS 6.x (6.4 Final) and MySQL
   5.1.x
   (5.1.69). I believe this bug will persist on all distros running BASH
   4.x.x
   After running the chained command (see below "Repeat-By" section), BASH
   allows a password field to be seen in Clear Text, and then the BASH
   session
   breaks until BASH session is restarted (logout then login).
   The purpose of the command is to dump the database "somedb" ... which
   would
   normally dump to a text file for import later... but instead redirect
   stdout to the stdin of the chained mysql command which will import all
   the
   data from "somedb" into "someotherdb" on the same MySQL host. The
   command
   works, but there's two problems.
   MySQL correctly challenges for password of "someuser" to perform the
   mysqldump part, but once you type in the password and hit ENTER, it
   skips
   to a new blank line without the shell prompt and just sits. It is
   waiting
   for you to type in the password for "someuser" as the second part of
   the
   command (but does not prompt for this and it's not intuitive, it
   appears
   as-if the command is running)... If you type, it's in clear text!
   Potentially a major security issue there.
   It gets worse...
   After you hit ENTER a second time, the command will finish, and it will
   return a fresh line with the shell prompt. Everything looks normal...
   but
   try typing. Nothing will show at all, however it is sending the keys to
   the
   shell and will execute commands if you type them in and hit ENTER. Each
   successful command will return you to a fresh shell line, but same
   thing
   happens until you log out and back in (to restart BASH). Also, while
   this
   is happening, you can hit the ENTER key over and over and BASH will
   just
   keep repeating the shell prompt on the same line.
   Repeat-By:
   At the shell, issue the command:
   ~]# mysqldump -u someuser -p somedb | mysql -u someuser -p -D
   someotherdb
   Shouldn't need to run that command as root, but the mysql user must be
   privileged enough to work with the two databases. To simplify things
   you
   can replace "someuser" with root.
   Thank you,
   Jason Sipula
   alupis1@gmail.com


reply via email to

[Prev in Thread] Current Thread [Next in Thread]