Opened 9 years ago

Closed 9 years ago

Last modified 4 years ago

#24999 closed Cleanup/optimization (invalid)

manage dbshell with mysql give the password on the command line, visible system wide

Reported by: nirgal Owned by: Rigel Di Scala
Component: Core (Management commands) Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Hi

When using mysql backend, when one runs the dbshell command, subprocess.call() uses the mysql command line argument --password. This is insecure on multi-users systems, since anyone who can do "ps" is able to see the password.

I believe it would be much better to write the password in the temporary configuration file whose name is given using --defaults-extra-file=file_name, in a way similar to https://github.com/django/django/pull/4392

Change History (8)

comment:1 by Tim Graham, 9 years ago

Triage Stage: UnreviewedAccepted
Type: UncategorizedCleanup/optimization

comment:2 by Rigel Di Scala, 9 years ago

Owner: changed from nobody to Rigel Di Scala
Status: newassigned

comment:3 by Rigel Di Scala, 9 years ago

Cannot replicate this using Python3 and the "mysqlclient" connector package.

comment:4 by Tim Graham, 9 years ago

dbshell makes a subprocess call with --password. Did you find that process?

comment:5 by Rigel Di Scala, 9 years ago

Using Python 2.7, MySQL-Python 1.2.5-final, and mysql Ver 14.14 Distrib 5.5.37, when running manage.py dbshell and checking the output of ps aux, I see:

zedr      5604  0.0  0.0 110204  4748 pts/0    TN   08:30   0:00 mysql --user=root --password=x xx --host=127.1 django_testing

The password was, in this case, "root", so it's being obfuscated. I'm investigating what's actually doing the obfuscation, as django.db.backend.mysql.DatabaseClient isn't doing it.

Last edited 9 years ago by Rigel Di Scala (previous) (diff)

comment:7 by Tim Graham, 9 years ago

Resolution: invalid
Status: assignedclosed

Thanks for investigating. I guess we can mark this as invalid.

comment:8 by Mariusz Felisiak <felisiak.mariusz@…>, 4 years ago

In 384ac099:

Refs #32061 -- Prevented password leak on MySQL dbshell crash.

The usage of the --password flag when invoking the mysql CLI has the
potential of exposing the password in plain text if the command happens
to crash due to the inclusion of args provided to
subprocess.run(check=True) in the string representation of the
subprocess.CalledProcessError exception raised on non-zero return code.

Since this has the potential of leaking the password to logging
facilities configured to capture crashes (e.g. sys.excepthook, Sentry)
it's safer to rely on the MYSQL_PWD environment variable instead even
if its usage is discouraged due to potential leak through the ps
command on old flavors of Unix.

Thanks Charlie Denton for reporting the issue to the security team.

Refs #24999.

Note: See TracTickets for help on using tickets.
Back to Top