[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Aw: Chained command prints password in Clear Text and breaks BASH Sessio

From: John Kearney
Subject: Aw: Chained command prints password in Clear Text and breaks BASH Session until logout
Date: Thu, 11 Jul 2013 19:47:47 +0200 (CEST)

   This isn't a but in bash.
   firstly once a program is started it takes over the input so the fact
   that your password is echoed to the terminal is because myspl allows it
   not bash, and in mysql defense this is the normal behaviour for command
   line tools.

   Secondly both mysqldump  and mysql start at the same time and can
   potentially be reading the password also at the same time.
   on some systems and for some apps it could happen that.

   password for mysqldump p1234
   password for mysql          p5678

   the way you are staring them you could potentially end up with

   mysqldump getting p5274
   mysql getting  p1638

   basically you should give the password on the command line to mysql.
   something like
   read -sp "Password:" Password
   mysqldump -u someuser --password ${Password} -p somedb | mysql -u
   someuser --password ${Password} -p -D someotherdb

   Gesendet: Mittwoch, 10. Juli 2013 um 23:54 Uhr
   Von: "Jason Sipula" <address@hidden>
   An: address@hidden
   Betreff: Chained command prints password in Clear Text and breaks BASH
   Session until logout
   Configuration Information [Automatically generated, do not change]:
   Machine: x86_64
   OS: linux-gnu
   Compiler: gcc
   Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64'
   -DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-redhat-linux-gnu'
   -DCONF_VENDOR='redhat' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash'
   -DSHELL -DHAVE_CONFIG_H -I. -I. -I./include -I./lib -D_GNU_SOURCE
   -DRECYCLES_PIDS -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
   -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fwrapv
   uname output: Linux appsrv01.js.local 2.6.32-358.6.1.el6.x86_64 #1 SMP
   Apr 23 19:29:00 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
   Machine Type: x86_64-redhat-linux-gnu
   Bash Version: 4.1
   Patch Level: 2
   Release Status: release
   Reproducible from both an SSH session as well as directly at the
   On BASH 4.1.x (4.1.2) running under CentOS 6.x (6.4 Final) and MySQL
   (5.1.69). I believe this bug will persist on all distros running BASH
   After running the chained command (see below "Repeat-By" section), BASH
   allows a password field to be seen in Clear Text, and then the BASH
   breaks until BASH session is restarted (logout then login).
   The purpose of the command is to dump the database "somedb" ... which
   normally dump to a text file for import later... but instead redirect
   stdout to the stdin of the chained mysql command which will import all
   data from "somedb" into "someotherdb" on the same MySQL host. The
   works, but there's two problems.
   MySQL correctly challenges for password of "someuser" to perform the
   mysqldump part, but once you type in the password and hit ENTER, it
   to a new blank line without the shell prompt and just sits. It is
   for you to type in the password for "someuser" as the second part of
   command (but does not prompt for this and it's not intuitive, it
   as-if the command is running)... If you type, it's in clear text!
   Potentially a major security issue there.
   It gets worse...
   After you hit ENTER a second time, the command will finish, and it will
   return a fresh line with the shell prompt. Everything looks normal...
   try typing. Nothing will show at all, however it is sending the keys to
   shell and will execute commands if you type them in and hit ENTER. Each
   successful command will return you to a fresh shell line, but same
   happens until you log out and back in (to restart BASH). Also, while
   is happening, you can hit the ENTER key over and over and BASH will
   keep repeating the shell prompt on the same line.
   At the shell, issue the command:
   ~]# mysqldump -u someuser -p somedb | mysql -u someuser -p -D
   Shouldn't need to run that command as root, but the mysql user must be
   privileged enough to work with the two databases. To simplify things
   can replace "someuser" with root.
   Thank you,
   Jason Sipula

reply via email to

[Prev in Thread] Current Thread [Next in Thread]