[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Aw: Re: Chained command prints password in Clear Text and breaks BASH Se
|
From: |
John Kearney |
|
Subject: |
Aw: Re: Chained command prints password in Clear Text and breaks BASH Session until logout |
|
Date: |
Thu, 11 Jul 2013 20:04:10 +0200 (CEST) |
Sorry made a typo in the last email I meant try
stty echo
sounds like echo is turned off
try typing
stty echo
when you you say you don't see any output.
And if echoing is turned off it was probably turned off my mysql.
Gesendet: Donnerstag, 11. Juli 2013 um 19:53 Uhr
Von: "Jason Sipula" <alupis1@gmail.com>
An: Kein Empfänger
Cc: bug-bash@gnu.org
Betreff: Re: Chained command prints password in Clear Text and breaks
BASH Session until logout
I probably should have filed two different reports for this. Sorry for
any
confusion guys.
The password makes sense to me why it allows clear text...
The second issue is once the command terminates, bash session does not
behave normally at all. Nothing typed into the terminal over SSH or
directly on the console displays, however it does receive the keys.
Also,
if you repeatedly hit ENTER key, instead of skipping to new line, it
just
repeats the bash prompt over and over in a single line. So far
restarting
bash session (by logging out then back in) is the only way I have found
to
"fix" the session and return to normal functionality.
On Thu, Jul 11, 2013 at 10:47 AM, John Kearney <dethrophes@web.de>
wrote:
>
> This isn't a but in bash.
> firstly once a program is started it takes over the input so the fact
that
> your password is echoed to the terminal is because myspl allows it
not
> bash, and in mysql defense this is the normal behaviour for command
line
> tools.
>
> Secondly both mysqldump and mysql start at the same time and can
> potentially be reading the password also at the same time.
> on some systems and for some apps it could happen that.
>
> password for mysqldump p1234
> password for mysql p5678
>
> the way you are staring them you could potentially end up with
>
> mysqldump getting p5274
> mysql getting p1638
>
> basically you should give the password on the command line to mysql.
>
> something like
> read -sp "Password:" Password
> mysqldump -u someuser --password ${Password} -p somedb | mysql -u
someuser
> --password ${Password} -p -D someotherdb
>
> *Gesendet:* Mittwoch, 10. Juli 2013 um 23:54 Uhr
> *Von:* "Jason Sipula" <alupis1@gmail.com>
> *An:* bug-bash@gnu.org
> *Betreff:* Chained command prints password in Clear Text and breaks
BASH
> Session until logout
> Configuration Information [Automatically generated, do not change]:
> Machine: x86_64
> OS: linux-gnu
> Compiler: gcc
> Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64'
> -DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-redhat-linux-gnu'
> -DCONF_VENDOR='redhat' -DLOCALEDIR='/usr/share/locale'
-DPACKAGE='bash'
> -DSHELL -DHAVE_CONFIG_H -I. -I. -I./include -I./lib -D_GNU_SOURCE
> -DRECYCLES_PIDS -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
-fexceptions
> -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
-fwrapv
> uname output: Linux appsrv01.js.local 2.6.32-358.6.1.el6.x86_64 #1
SMP Tue
> Apr 23 19:29:00 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
> Machine Type: x86_64-redhat-linux-gnu
>
> Bash Version: 4.1
> Patch Level: 2
> Release Status: release
>
> Description:
>
> Reproducible from both an SSH session as well as directly at the
console.
>
> On BASH 4.1.x (4.1.2) running under CentOS 6.x (6.4 Final) and MySQL
5.1.x
> (5.1.69). I believe this bug will persist on all distros running BASH
4.x.x
>
> After running the chained command (see below "Repeat-By" section),
BASH
> allows a password field to be seen in Clear Text, and then the BASH
session
> breaks until BASH session is restarted (logout then login).
>
> The purpose of the command is to dump the database "somedb" ... which
would
> normally dump to a text file for import later... but instead redirect
> stdout to the stdin of the chained mysql command which will import
all the
> data from "somedb" into "someotherdb" on the same MySQL host. The
command
> works, but there's two problems.
>
> MySQL correctly challenges for password of "someuser" to perform the
> mysqldump part, but once you type in the password and hit ENTER, it
skips
> to a new blank line without the shell prompt and just sits. It is
waiting
> for you to type in the password for "someuser" as the second part of
the
> command (but does not prompt for this and it's not intuitive, it
appears
> as-if the command is running)... If you type, it's in clear text!
> Potentially a major security issue there.
>
> It gets worse...
>
> After you hit ENTER a second time, the command will finish, and it
will
> return a fresh line with the shell prompt. Everything looks normal...
but
> try typing. Nothing will show at all, however it is sending the keys
to the
> shell and will execute commands if you type them in and hit ENTER.
Each
> successful command will return you to a fresh shell line, but same
thing
> happens until you log out and back in (to restart BASH). Also, while
this
> is happening, you can hit the ENTER key over and over and BASH will
just
> keep repeating the shell prompt on the same line.
>
> Repeat-By:
>
> At the shell, issue the command:
>
> ~]# mysqldump -u someuser -p somedb | mysql -u someuser -p -D
someotherdb
>
> Shouldn't need to run that command as root, but the mysql user must
be
> privileged enough to work with the two databases. To simplify things
you
> can replace "someuser" with root.
>
> Thank you,
>
> Jason Sipula
> alupis1@gmail.com
>
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Aw: Re: Chained command prints password in Clear Text and breaks BASH Session until logout,
John Kearney <=