[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Aw: Chained command prints password in Clear Text and breaks BASH Sessio
From: |
John Kearney |
Subject: |
Aw: Chained command prints password in Clear Text and breaks BASH Session until logout |
Date: |
Thu, 11 Jul 2013 19:47:47 +0200 (CEST) |
This isn't a but in bash.
firstly once a program is started it takes over the input so the fact
that your password is echoed to the terminal is because myspl allows it
not bash, and in mysql defense this is the normal behaviour for command
line tools.
Secondly both mysqldump and mysql start at the same time and can
potentially be reading the password also at the same time.
on some systems and for some apps it could happen that.
password for mysqldump p1234
password for mysql p5678
the way you are staring them you could potentially end up with
mysqldump getting p5274
mysql getting p1638
basically you should give the password on the command line to mysql.
something like
read -sp "Password:" Password
mysqldump -u someuser --password ${Password} -p somedb | mysql -u
someuser --password ${Password} -p -D someotherdb
Gesendet: Mittwoch, 10. Juli 2013 um 23:54 Uhr
Von: "Jason Sipula" <alupis1@gmail.com>
An: bug-bash@gnu.org
Betreff: Chained command prints password in Clear Text and breaks BASH
Session until logout
Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64'
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-redhat-linux-gnu'
-DCONF_VENDOR='redhat' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash'
-DSHELL -DHAVE_CONFIG_H -I. -I. -I./include -I./lib -D_GNU_SOURCE
-DRECYCLES_PIDS -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fwrapv
uname output: Linux appsrv01.js.local 2.6.32-358.6.1.el6.x86_64 #1 SMP
Tue
Apr 23 19:29:00 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
Machine Type: x86_64-redhat-linux-gnu
Bash Version: 4.1
Patch Level: 2
Release Status: release
Description:
Reproducible from both an SSH session as well as directly at the
console.
On BASH 4.1.x (4.1.2) running under CentOS 6.x (6.4 Final) and MySQL
5.1.x
(5.1.69). I believe this bug will persist on all distros running BASH
4.x.x
After running the chained command (see below "Repeat-By" section), BASH
allows a password field to be seen in Clear Text, and then the BASH
session
breaks until BASH session is restarted (logout then login).
The purpose of the command is to dump the database "somedb" ... which
would
normally dump to a text file for import later... but instead redirect
stdout to the stdin of the chained mysql command which will import all
the
data from "somedb" into "someotherdb" on the same MySQL host. The
command
works, but there's two problems.
MySQL correctly challenges for password of "someuser" to perform the
mysqldump part, but once you type in the password and hit ENTER, it
skips
to a new blank line without the shell prompt and just sits. It is
waiting
for you to type in the password for "someuser" as the second part of
the
command (but does not prompt for this and it's not intuitive, it
appears
as-if the command is running)... If you type, it's in clear text!
Potentially a major security issue there.
It gets worse...
After you hit ENTER a second time, the command will finish, and it will
return a fresh line with the shell prompt. Everything looks normal...
but
try typing. Nothing will show at all, however it is sending the keys to
the
shell and will execute commands if you type them in and hit ENTER. Each
successful command will return you to a fresh shell line, but same
thing
happens until you log out and back in (to restart BASH). Also, while
this
is happening, you can hit the ENTER key over and over and BASH will
just
keep repeating the shell prompt on the same line.
Repeat-By:
At the shell, issue the command:
~]# mysqldump -u someuser -p somedb | mysql -u someuser -p -D
someotherdb
Shouldn't need to run that command as root, but the mysql user must be
privileged enough to work with the two databases. To simplify things
you
can replace "someuser" with root.
Thank you,
Jason Sipula
alupis1@gmail.com
Re: Chained command prints password in Clear Text and breaks BASH Session until logout, Chris Down, 2013/07/11