bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Aw: Re: Re: Chained command prints password in Clear Text and breaks BAS


From: John Kearney
Subject: Aw: Re: Re: Chained command prints password in Clear Text and breaks BASH Session until logout
Date: Thu, 11 Jul 2013 20:34:21 +0200 (CEST)

   Typically when a program has this sort of a problem I just save and
   restore the context myself.

   SavedContext="$(stty -g )"

   read -sp "Password:" Password
   mysqldump -u someuser --password=${Password} somedb | mysql -u someuser
   --password=${Password} -D someotherdb

   # Restore Terminal Context.
   stty "${SavedContext}"


   And note your orginal example was wrong.

   -p in the following is to speciy the password
   mysqldump -u someuser -p somedb | mysql -u someuser -p -D someotherdb

   so you are saying the password to someuser is somedb and not giving a
   database.....
   in the second case you are saying that the password to someuser is -D



   Gesendet: Donnerstag, 11. Juli 2013 um 20:05 Uhr
   Von: "Jason Sipula" <address@hidden>
   An: "John Kearney" <address@hidden>
   Cc: address@hidden
   Betreff: Re: Re: Chained command prints password in Clear Text and
   breaks BASH Session until logout
   Bingo.
   ~]# stty echo
   This fixed bash. So it does appear MySQL is disabling echo.Strange that
   it
   does not re-enable it after it's finished running. I'll take this up
   with
   the mysql folks.
   Thank you to everyone!
   On Thu, Jul 11, 2013 at 11:00 AM, John Kearney <address@hidden>
   wrote:
   > sounds like echo is turned off
   > try typing
   > stty +echo
   > when you you say you don't see any output.
   > And if its turned off it was probably turned off my mysql.
   > *Gesendet:* Donnerstag, 11. Juli 2013 um 19:53 Uhr
   > *Von:* "Jason Sipula" <address@hidden>
   > *An:* Kein Empfänger
   > *Cc:* address@hidden
   > *Betreff:* Re: Chained command prints password in Clear Text and
   breaks
   > BASH Session until logout
   > I probably should have filed two different reports for this. Sorry
   for any
   > confusion guys.
   >
   > The password makes sense to me why it allows clear text...
   >
   > The second issue is once the command terminates, bash session does
   not
   > behave normally at all. Nothing typed into the terminal over SSH or
   > directly on the console displays, however it does receive the keys.
   Also,
   > if you repeatedly hit ENTER key, instead of skipping to new line, it
   just
   > repeats the bash prompt over and over in a single line. So far
   restarting
   > bash session (by logging out then back in) is the only way I have
   found to
   > "fix" the session and return to normal functionality.
   >
   >
   > On Thu, Jul 11, 2013 at 10:47 AM, John Kearney <address@hidden>
   wrote:
   >
   > >
   > > This isn't a but in bash.
   > > firstly once a program is started it takes over the input so the
   fact
   > that
   > > your password is echoed to the terminal is because myspl allows it
   not
   > > bash, and in mysql defense this is the normal behaviour for command
   line
   > > tools.
   > >
   > > Secondly both mysqldump and mysql start at the same time and can
   > > potentially be reading the password also at the same time.
   > > on some systems and for some apps it could happen that.
   > >
   > > password for mysqldump p1234
   > > password for mysql p5678
   > >
   > > the way you are staring them you could potentially end up with
   > >
   > > mysqldump getting p5274
   > > mysql getting p1638
   > >
   > > basically you should give the password on the command line to
   mysql.
   > >
   > > something like
   > > read -sp "Password:" Password
   > > mysqldump -u someuser --password ${Password} -p somedb | mysql -u
   > someuser
   > > --password ${Password} -p -D someotherdb
   > >
   > > *Gesendet:* Mittwoch, 10. Juli 2013 um 23:54 Uhr
   > > *Von:* "Jason Sipula" <address@hidden>
   > > *An:* address@hidden
   > > *Betreff:* Chained command prints password in Clear Text and breaks
   BASH
   >
   > > Session until logout
   > > Configuration Information [Automatically generated, do not change]:
   > > Machine: x86_64
   > > OS: linux-gnu
   > > Compiler: gcc
   > > Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64'
   > > -DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-redhat-linux-gnu'
   > > -DCONF_VENDOR='redhat' -DLOCALEDIR='/usr/share/locale'
   -DPACKAGE='bash'
   > > -DSHELL -DHAVE_CONFIG_H -I. -I. -I./include -I./lib -D_GNU_SOURCE
   > > -DRECYCLES_PIDS -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
   -fexceptions
   > > -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
   -fwrapv
   > > uname output: Linux appsrv01.js.local 2.6.32-358.6.1.el6.x86_64 #1
   SMP
   > Tue
   > > Apr 23 19:29:00 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
   > > Machine Type: x86_64-redhat-linux-gnu
   > >
   > > Bash Version: 4.1
   > > Patch Level: 2
   > > Release Status: release
   > >
   > > Description:
   > >
   > > Reproducible from both an SSH session as well as directly at the
   console.
   > >
   > > On BASH 4.1.x (4.1.2) running under CentOS 6.x (6.4 Final) and
   MySQL
   > 5.1.x
   > > (5.1.69). I believe this bug will persist on all distros running
   BASH
   > 4.x.x
   > >
   > > After running the chained command (see below "Repeat-By" section),
   BASH
   > > allows a password field to be seen in Clear Text, and then the BASH
   > session
   > > breaks until BASH session is restarted (logout then login).
   > >
   > > The purpose of the command is to dump the database "somedb" ...
   which
   > would
   > > normally dump to a text file for import later... but instead
   redirect
   > > stdout to the stdin of the chained mysql command which will import
   all
   > the
   > > data from "somedb" into "someotherdb" on the same MySQL host. The
   command
   > > works, but there's two problems.
   > >
   > > MySQL correctly challenges for password of "someuser" to perform
   the
   > > mysqldump part, but once you type in the password and hit ENTER, it
   skips
   > > to a new blank line without the shell prompt and just sits. It is
   waiting
   > > for you to type in the password for "someuser" as the second part
   of the
   > > command (but does not prompt for this and it's not intuitive, it
   appears
   > > as-if the command is running)... If you type, it's in clear text!
   > > Potentially a major security issue there.
   > >
   > > It gets worse...
   > >
   > > After you hit ENTER a second time, the command will finish, and it
   will
   > > return a fresh line with the shell prompt. Everything looks
   normal... but
   > > try typing. Nothing will show at all, however it is sending the
   keys to
   > the
   > > shell and will execute commands if you type them in and hit ENTER.
   Each
   > > successful command will return you to a fresh shell line, but same
   thing
   > > happens until you log out and back in (to restart BASH). Also,
   while this
   > > is happening, you can hit the ENTER key over and over and BASH will
   just
   > > keep repeating the shell prompt on the same line.
   > >
   > > Repeat-By:
   > >
   > > At the shell, issue the command:
   > >
   > > ~]# mysqldump -u someuser -p somedb | mysql -u someuser -p -D
   someotherdb
   > >
   > > Shouldn't need to run that command as root, but the mysql user must
   be
   > > privileged enough to work with the two databases. To simplify
   things you
   > > can replace "someuser" with root.
   > >
   > > Thank you,
   > >
   > > Jason Sipula
   > > address@hidden
   > >
   >


reply via email to

[Prev in Thread] Current Thread [Next in Thread]