[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Aw: Re: Re: Chained command prints password in Clear Text and breaks BAS
From: |
John Kearney |
Subject: |
Aw: Re: Re: Chained command prints password in Clear Text and breaks BASH Session until logout |
Date: |
Thu, 11 Jul 2013 20:34:21 +0200 (CEST) |
Typically when a program has this sort of a problem I just save and
restore the context myself.
SavedContext="$(stty -g )"
read -sp "Password:" Password
mysqldump -u someuser --password=${Password} somedb | mysql -u someuser
--password=${Password} -D someotherdb
# Restore Terminal Context.
stty "${SavedContext}"
And note your orginal example was wrong.
-p in the following is to speciy the password
mysqldump -u someuser -p somedb | mysql -u someuser -p -D someotherdb
so you are saying the password to someuser is somedb and not giving a
database.....
in the second case you are saying that the password to someuser is -D
Gesendet: Donnerstag, 11. Juli 2013 um 20:05 Uhr
Von: "Jason Sipula" <alupis1@gmail.com>
An: "John Kearney" <dethrophes@web.de>
Cc: bug-bash@gnu.org
Betreff: Re: Re: Chained command prints password in Clear Text and
breaks BASH Session until logout
Bingo.
~]# stty echo
This fixed bash. So it does appear MySQL is disabling echo.Strange that
it
does not re-enable it after it's finished running. I'll take this up
with
the mysql folks.
Thank you to everyone!
On Thu, Jul 11, 2013 at 11:00 AM, John Kearney <dethrophes@web.de>
wrote:
> sounds like echo is turned off
> try typing
> stty +echo
> when you you say you don't see any output.
> And if its turned off it was probably turned off my mysql.
> *Gesendet:* Donnerstag, 11. Juli 2013 um 19:53 Uhr
> *Von:* "Jason Sipula" <alupis1@gmail.com>
> *An:* Kein Empfänger
> *Cc:* bug-bash@gnu.org
> *Betreff:* Re: Chained command prints password in Clear Text and
breaks
> BASH Session until logout
> I probably should have filed two different reports for this. Sorry
for any
> confusion guys.
>
> The password makes sense to me why it allows clear text...
>
> The second issue is once the command terminates, bash session does
not
> behave normally at all. Nothing typed into the terminal over SSH or
> directly on the console displays, however it does receive the keys.
Also,
> if you repeatedly hit ENTER key, instead of skipping to new line, it
just
> repeats the bash prompt over and over in a single line. So far
restarting
> bash session (by logging out then back in) is the only way I have
found to
> "fix" the session and return to normal functionality.
>
>
> On Thu, Jul 11, 2013 at 10:47 AM, John Kearney <dethrophes@web.de>
wrote:
>
> >
> > This isn't a but in bash.
> > firstly once a program is started it takes over the input so the
fact
> that
> > your password is echoed to the terminal is because myspl allows it
not
> > bash, and in mysql defense this is the normal behaviour for command
line
> > tools.
> >
> > Secondly both mysqldump and mysql start at the same time and can
> > potentially be reading the password also at the same time.
> > on some systems and for some apps it could happen that.
> >
> > password for mysqldump p1234
> > password for mysql p5678
> >
> > the way you are staring them you could potentially end up with
> >
> > mysqldump getting p5274
> > mysql getting p1638
> >
> > basically you should give the password on the command line to
mysql.
> >
> > something like
> > read -sp "Password:" Password
> > mysqldump -u someuser --password ${Password} -p somedb | mysql -u
> someuser
> > --password ${Password} -p -D someotherdb
> >
> > *Gesendet:* Mittwoch, 10. Juli 2013 um 23:54 Uhr
> > *Von:* "Jason Sipula" <alupis1@gmail.com>
> > *An:* bug-bash@gnu.org
> > *Betreff:* Chained command prints password in Clear Text and breaks
BASH
>
> > Session until logout
> > Configuration Information [Automatically generated, do not change]:
> > Machine: x86_64
> > OS: linux-gnu
> > Compiler: gcc
> > Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64'
> > -DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-redhat-linux-gnu'
> > -DCONF_VENDOR='redhat' -DLOCALEDIR='/usr/share/locale'
-DPACKAGE='bash'
> > -DSHELL -DHAVE_CONFIG_H -I. -I. -I./include -I./lib -D_GNU_SOURCE
> > -DRECYCLES_PIDS -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
-fexceptions
> > -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
-fwrapv
> > uname output: Linux appsrv01.js.local 2.6.32-358.6.1.el6.x86_64 #1
SMP
> Tue
> > Apr 23 19:29:00 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
> > Machine Type: x86_64-redhat-linux-gnu
> >
> > Bash Version: 4.1
> > Patch Level: 2
> > Release Status: release
> >
> > Description:
> >
> > Reproducible from both an SSH session as well as directly at the
console.
> >
> > On BASH 4.1.x (4.1.2) running under CentOS 6.x (6.4 Final) and
MySQL
> 5.1.x
> > (5.1.69). I believe this bug will persist on all distros running
BASH
> 4.x.x
> >
> > After running the chained command (see below "Repeat-By" section),
BASH
> > allows a password field to be seen in Clear Text, and then the BASH
> session
> > breaks until BASH session is restarted (logout then login).
> >
> > The purpose of the command is to dump the database "somedb" ...
which
> would
> > normally dump to a text file for import later... but instead
redirect
> > stdout to the stdin of the chained mysql command which will import
all
> the
> > data from "somedb" into "someotherdb" on the same MySQL host. The
command
> > works, but there's two problems.
> >
> > MySQL correctly challenges for password of "someuser" to perform
the
> > mysqldump part, but once you type in the password and hit ENTER, it
skips
> > to a new blank line without the shell prompt and just sits. It is
waiting
> > for you to type in the password for "someuser" as the second part
of the
> > command (but does not prompt for this and it's not intuitive, it
appears
> > as-if the command is running)... If you type, it's in clear text!
> > Potentially a major security issue there.
> >
> > It gets worse...
> >
> > After you hit ENTER a second time, the command will finish, and it
will
> > return a fresh line with the shell prompt. Everything looks
normal... but
> > try typing. Nothing will show at all, however it is sending the
keys to
> the
> > shell and will execute commands if you type them in and hit ENTER.
Each
> > successful command will return you to a fresh shell line, but same
thing
> > happens until you log out and back in (to restart BASH). Also,
while this
> > is happening, you can hit the ENTER key over and over and BASH will
just
> > keep repeating the shell prompt on the same line.
> >
> > Repeat-By:
> >
> > At the shell, issue the command:
> >
> > ~]# mysqldump -u someuser -p somedb | mysql -u someuser -p -D
someotherdb
> >
> > Shouldn't need to run that command as root, but the mysql user must
be
> > privileged enough to work with the two databases. To simplify
things you
> > can replace "someuser" with root.
> >
> > Thank you,
> >
> > Jason Sipula
> > alupis1@gmail.com
> >
>
- Aw: Re: Re: Chained command prints password in Clear Text and breaks BASH Session until logout,
John Kearney <=