Re: Re: Chained command prints password in Clear Text and breaks BASH Session until logout

[Jason Sipula]

Bingo.

~]# stty echo

This fixed bash. So it does appear MySQL is disabling echo.Strange that it
does not re-enable it after it's finished running. I'll take this up with
the mysql folks.

Thank you to everyone!


On Thu, Jul 11, 2013 at 11:00 AM, John Kearney <dethrophes@web.de> wrote:

>  sounds like echo is turned off
> try typing
> stty +echo
> when you  you say you don't see any output.
> And if its turned off it was probably turned off my mysql.
> *Gesendet:* Donnerstag, 11. Juli 2013 um 19:53 Uhr
> *Von:* "Jason Sipula" <alupis1@gmail.com>
> *An:* Kein Empfänger
> *Cc:* bug-bash@gnu.org
> *Betreff:* Re: Chained command prints password in Clear Text and breaks
> BASH Session until logout
> I probably should have filed two different reports for this. Sorry for any
> confusion guys.
>
> The password makes sense to me why it allows clear text...
>
> The second issue is once the command terminates, bash session does not
> behave normally at all. Nothing typed into the terminal over SSH or
> directly on the console displays, however it does receive the keys. Also,
> if you repeatedly hit ENTER key, instead of skipping to new line, it just
> repeats the bash prompt over and over in a single line. So far restarting
> bash session (by logging out then back in) is the only way I have found to
> "fix" the session and return to normal functionality.
>
>
> On Thu, Jul 11, 2013 at 10:47 AM, John Kearney <dethrophes@web.de> wrote:
>
> >
> > This isn't a but in bash.
> > firstly once a program is started it takes over the input so the fact
> that
> > your password is echoed to the terminal is because myspl allows it not
> > bash, and in mysql defense this is the normal behaviour for command line
> > tools.
> >
> > Secondly both mysqldump and mysql start at the same time and can
> > potentially be reading the password also at the same time.
> > on some systems and for some apps it could happen that.
> >
> > password for mysqldump p1234
> > password for mysql p5678
> >
> > the way you are staring them you could potentially end up with
> >
> > mysqldump getting p5274
> > mysql getting p1638
> >
> > basically you should give the password on the command line to mysql.
> >
> > something like
> > read -sp "Password:" Password
> > mysqldump -u someuser --password ${Password} -p somedb | mysql -u
> someuser
> > --password ${Password} -p -D someotherdb
> >
> > *Gesendet:* Mittwoch, 10. Juli 2013 um 23:54 Uhr
> > *Von:* "Jason Sipula" <alupis1@gmail.com>
> > *An:* bug-bash@gnu.org
> > *Betreff:* Chained command prints password in Clear Text and breaks BASH
>
> > Session until logout
> > Configuration Information [Automatically generated, do not change]:
> > Machine: x86_64
> > OS: linux-gnu
> > Compiler: gcc
> > Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64'
> > -DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-redhat-linux-gnu'
> > -DCONF_VENDOR='redhat' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash'
> > -DSHELL -DHAVE_CONFIG_H -I. -I. -I./include -I./lib -D_GNU_SOURCE
> > -DRECYCLES_PIDS -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> > -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fwrapv
> > uname output: Linux appsrv01.js.local 2.6.32-358.6.1.el6.x86_64 #1 SMP
> Tue
> > Apr 23 19:29:00 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
> > Machine Type: x86_64-redhat-linux-gnu
> >
> > Bash Version: 4.1
> > Patch Level: 2
> > Release Status: release
> >
> > Description:
> >
> > Reproducible from both an SSH session as well as directly at the console.
> >
> > On BASH 4.1.x (4.1.2) running under CentOS 6.x (6.4 Final) and MySQL
> 5.1.x
> > (5.1.69). I believe this bug will persist on all distros running BASH
> 4.x.x
> >
> > After running the chained command (see below "Repeat-By" section), BASH
> > allows a password field to be seen in Clear Text, and then the BASH
> session
> > breaks until BASH session is restarted (logout then login).
> >
> > The purpose of the command is to dump the database "somedb" ... which
> would
> > normally dump to a text file for import later... but instead redirect
> > stdout to the stdin of the chained mysql command which will import all
> the
> > data from "somedb" into "someotherdb" on the same MySQL host. The command
> > works, but there's two problems.
> >
> > MySQL correctly challenges for password of "someuser" to perform the
> > mysqldump part, but once you type in the password and hit ENTER, it skips
> > to a new blank line without the shell prompt and just sits. It is waiting
> > for you to type in the password for "someuser" as the second part of the
> > command (but does not prompt for this and it's not intuitive, it appears
> > as-if the command is running)... If you type, it's in clear text!
> > Potentially a major security issue there.
> >
> > It gets worse...
> >
> > After you hit ENTER a second time, the command will finish, and it will
> > return a fresh line with the shell prompt. Everything looks normal... but
> > try typing. Nothing will show at all, however it is sending the keys to
> the
> > shell and will execute commands if you type them in and hit ENTER. Each
> > successful command will return you to a fresh shell line, but same thing
> > happens until you log out and back in (to restart BASH). Also, while this
> > is happening, you can hit the ENTER key over and over and BASH will just
> > keep repeating the shell prompt on the same line.
> >
> > Repeat-By:
> >
> > At the shell, issue the command:
> >
> > ~]# mysqldump -u someuser -p somedb | mysql -u someuser -p -D someotherdb
> >
> > Shouldn't need to run that command as root, but the mysql user must be
> > privileged enough to work with the two databases. To simplify things you
> > can replace "someuser" with root.
> >
> > Thank you,
> >
> > Jason Sipula
> > alupis1@gmail.com
> >
>