#24999 closed Cleanup/optimization (invalid)
manage dbshell with mysql give the password on the command line, visible system wide
Reported by: | nirgal | Owned by: | Rigel Di Scala |
---|---|---|---|
Component: | Core (Management commands) | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Hi
When using mysql backend, when one runs the dbshell command, subprocess.call() uses the mysql command line argument --password. This is insecure on multi-users systems, since anyone who can do "ps" is able to see the password.
I believe it would be much better to write the password in the temporary configuration file whose name is given using --defaults-extra-file=file_name, in a way similar to https://github.com/django/django/pull/4392
Change History (8)
comment:1 by , 9 years ago
Triage Stage: | Unreviewed → Accepted |
---|---|
Type: | Uncategorized → Cleanup/optimization |
comment:2 by , 9 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:3 by , 9 years ago
comment:4 by , 9 years ago
dbshell
makes a subprocess call with --password
. Did you find that process?
comment:5 by , 9 years ago
Using Python 2.7, MySQL-Python 1.2.5-final
, and mysql Ver 14.14 Distrib 5.5.37
, when running manage.py dbshell
and checking the output of ps aux
, I see:
zedr 5604 0.0 0.0 110204 4748 pts/0 TN 08:30 0:00 mysql --user=root --password=x xx --host=127.1 django_testing
The password was, in this case, "root", so it's being obfuscated. I'm investigating what's actually doing the obfuscation, as django.db.backend.mysql.DatabaseClient
isn't doing it.
comment:6 by , 9 years ago
comment:7 by , 9 years ago
Resolution: | → invalid |
---|---|
Status: | assigned → closed |
Thanks for investigating. I guess we can mark this as invalid.
Cannot replicate this using Python3 and the "mysqlclient" connector package.