bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re: Re: Chained command prints password in Clear Text and breaks BAS


From: Jason Sipula
Subject: Re: Re: Re: Chained command prints password in Clear Text and breaks BASH Session until logout
Date: Thu, 11 Jul 2013 11:44:55 -0700

Hmm... on my system. doing a

~]# mysql -u username -p

Makes mysql prompt for password. I usually do this when I'm logging into
mysql directly instead of programmically so that i don't have to type the
clear text password into the terminal. Maybe a mysql version thing? I'm on
5.1.x under centos 6.x


On Thu, Jul 11, 2013 at 11:34 AM, John Kearney <address@hidden> wrote:

>  Typically when a program has this sort of a problem I just save and
> restore the context myself.
>
> SavedContext="$(stty -g )"
>
> read -sp "Password:" Password
> mysqldump -u someuser --password=${Password} somedb | mysql -u someuser
> --password=${Password} -D someotherdb
>
> # Restore Terminal Context.
> stty "${SavedContext}"
>
>
> And note your orginal example was wrong.
>
> -p in the following is to speciy the password
> mysqldump -u someuser -p somedb | mysql -u someuser -p -D someotherdb
>
> so you are saying the password to someuser is somedb and not giving a
> database.....
> in the second case you are saying that the password to someuser is -D
>
>
>
> *Gesendet:* Donnerstag, 11. Juli 2013 um 20:05 Uhr
> *Von:* "Jason Sipula" <address@hidden>
> *An:* "John Kearney" <address@hidden>
> *Cc:* address@hidden
> *Betreff:* Re: Re: Chained command prints password in Clear Text and
> breaks BASH Session until logout
> Bingo.
>
> ~]# stty echo
>
> This fixed bash. So it does appear MySQL is disabling echo.Strange that it
> does not re-enable it after it's finished running. I'll take this up with
> the mysql folks.
>
> Thank you to everyone!
>
>
> On Thu, Jul 11, 2013 at 11:00 AM, John Kearney <address@hidden> wrote:
>
> > sounds like echo is turned off
> > try typing
> > stty +echo
> > when you you say you don't see any output.
> > And if its turned off it was probably turned off my mysql.
> > *Gesendet:* Donnerstag, 11. Juli 2013 um 19:53 Uhr
> > *Von:* "Jason Sipula" <address@hidden>
> > *An:* Kein Empfänger
> > *Cc:* address@hidden
> > *Betreff:* Re: Chained command prints password in Clear Text and breaks
> > BASH Session until logout
> > I probably should have filed two different reports for this. Sorry for
> any
> > confusion guys.
> >
> > The password makes sense to me why it allows clear text...
> >
> > The second issue is once the command terminates, bash session does not
> > behave normally at all. Nothing typed into the terminal over SSH or
> > directly on the console displays, however it does receive the keys. Also,
> > if you repeatedly hit ENTER key, instead of skipping to new line, it just
> > repeats the bash prompt over and over in a single line. So far restarting
> > bash session (by logging out then back in) is the only way I have found
> to
> > "fix" the session and return to normal functionality.
> >
> >
> > On Thu, Jul 11, 2013 at 10:47 AM, John Kearney <address@hidden>
> wrote:
> >
> > >
> > > This isn't a but in bash.
> > > firstly once a program is started it takes over the input so the fact
> > that
> > > your password is echoed to the terminal is because myspl allows it not
> > > bash, and in mysql defense this is the normal behaviour for command
> line
> > > tools.
> > >
> > > Secondly both mysqldump and mysql start at the same time and can
> > > potentially be reading the password also at the same time.
> > > on some systems and for some apps it could happen that.
> > >
> > > password for mysqldump p1234
> > > password for mysql p5678
> > >
> > > the way you are staring them you could potentially end up with
> > >
> > > mysqldump getting p5274
> > > mysql getting p1638
> > >
> > > basically you should give the password on the command line to mysql.
> > >
> > > something like
> > > read -sp "Password:" Password
> > > mysqldump -u someuser --password ${Password} -p somedb | mysql -u
> > someuser
> > > --password ${Password} -p -D someotherdb
> > >
> > > *Gesendet:* Mittwoch, 10. Juli 2013 um 23:54 Uhr
> > > *Von:* "Jason Sipula" <address@hidden>
> > > *An:* address@hidden
> > > *Betreff:* Chained command prints password in Clear Text and breaks
> BASH
> >
> > > Session until logout
> > > Configuration Information [Automatically generated, do not change]:
> > > Machine: x86_64
> > > OS: linux-gnu
> > > Compiler: gcc
> > > Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64'
> > > -DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-redhat-linux-gnu'
> > > -DCONF_VENDOR='redhat' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash'
> > > -DSHELL -DHAVE_CONFIG_H -I. -I. -I./include -I./lib -D_GNU_SOURCE
> > > -DRECYCLES_PIDS -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> > > -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fwrapv
> > > uname output: Linux appsrv01.js.local 2.6.32-358.6.1.el6.x86_64 #1 SMP
> > Tue
> > > Apr 23 19:29:00 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
> > > Machine Type: x86_64-redhat-linux-gnu
> > >
> > > Bash Version: 4.1
> > > Patch Level: 2
> > > Release Status: release
> > >
> > > Description:
> > >
> > > Reproducible from both an SSH session as well as directly at the
> console.
> > >
> > > On BASH 4.1.x (4.1.2) running under CentOS 6.x (6.4 Final) and MySQL
> > 5.1.x
> > > (5.1.69). I believe this bug will persist on all distros running BASH
> > 4.x.x
> > >
> > > After running the chained command (see below "Repeat-By" section), BASH
> > > allows a password field to be seen in Clear Text, and then the BASH
> > session
> > > breaks until BASH session is restarted (logout then login).
> > >
> > > The purpose of the command is to dump the database "somedb" ... which
> > would
> > > normally dump to a text file for import later... but instead redirect
> > > stdout to the stdin of the chained mysql command which will import all
> > the
> > > data from "somedb" into "someotherdb" on the same MySQL host. The
> command
> > > works, but there's two problems.
> > >
> > > MySQL correctly challenges for password of "someuser" to perform the
> > > mysqldump part, but once you type in the password and hit ENTER, it
> skips
> > > to a new blank line without the shell prompt and just sits. It is
> waiting
> > > for you to type in the password for "someuser" as the second part of
> the
> > > command (but does not prompt for this and it's not intuitive, it
> appears
> > > as-if the command is running)... If you type, it's in clear text!
> > > Potentially a major security issue there.
> > >
> > > It gets worse...
> > >
> > > After you hit ENTER a second time, the command will finish, and it will
> > > return a fresh line with the shell prompt. Everything looks normal...
> but
> > > try typing. Nothing will show at all, however it is sending the keys to
> > the
> > > shell and will execute commands if you type them in and hit ENTER. Each
> > > successful command will return you to a fresh shell line, but same
> thing
> > > happens until you log out and back in (to restart BASH). Also, while
> this
> > > is happening, you can hit the ENTER key over and over and BASH will
> just
> > > keep repeating the shell prompt on the same line.
> > >
> > > Repeat-By:
> > >
> > > At the shell, issue the command:
> > >
> > > ~]# mysqldump -u someuser -p somedb | mysql -u someuser -p -D
> someotherdb
> > >
> > > Shouldn't need to run that command as root, but the mysql user must be
> > > privileged enough to work with the two databases. To simplify things
> you
> > > can replace "someuser" with root.
> > >
> > > Thank you,
> > >
> > > Jason Sipula
> > > address@hidden
> > >
> >
>


reply via email to

[Prev in Thread] Current Thread [Next in Thread]