Bug 168504

Summary: mysqlcheck (databases/mysql51-client) does not obscure password on command line
Product: Ports & Packages Reporter: brian.carlson
Component: Individual Port(s)Assignee: Alex Dupre <ale>
Status: Closed Overcome By Events    
Severity: Affects Only Me CC: cs, rene
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description brian.carlson 2012-05-31 18:10:02 UTC 
When running mysqlcheck from mysql_upgrade, a password is passed to mysqlcheck on the command line with the -p option.  There is code to obscure this password once it is parsed, but this code does not work on FreeBSD.  The technique it uses is writing over the appropriate argv entry with the character "x"; while this works fine on Linux, I believe this must use setproctitle(3) to work on FreeBSD.

It would be nice if the port were patched to fix this problem. I can verify using the latest ports repository that no patch is applied to MySQL to fix this problem.

Fix: 

Patch mysqlcheck to use setproctitle(3).
How-To-Repeat: Run mysql_upgrade in one terminal while running "while true ; do ps auxwwwfd | grep mysqlchec[k] ; done" in another; you will see the database's root password listed.
Comment 1 Michael Scheidell freebsd_committer freebsd_triage 2012-05-31 19:57:03 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->ale

Over to maintainer.
Comment 2 Alex Dupre freebsd_committer freebsd_triage 2012-06-01 09:48:40 UTC 
State Changed
From-To: open->feedback

You are right, but the issue is not limited to mysqlcheck. 
To use setproctitle() I think we should put a fix inside 
handle_options() in ./mysys/my_getopt.c 
Are you going to provide a patch for it?
Comment 3 brian.carlson 2012-06-05 16:20:54 UTC 
I was not planning on providing a patch. This is something we noticed =
here at cPanel on one of our FreeBSD test systems and I just thought I'd =
report it upstream to y'all in hopes that it might be fixed.  Our =
support for FreeBSD 8.2 is near end-of-life, so it's unlikely that we'll =
get a chance to fix it ourselves and send a patch.=
Comment 4 Carlo Strub freebsd_committer freebsd_triage 2014-09-11 19:58:36 UTC 
Is this PR still relevant?
Comment 5 brian.carlson 2014-09-12 13:52:48 UTC 
I honestly don't know, since we no longer support FreeBSD and I therefore don't have a system to test on.  I presume so, though.  I would argue that mysqlcheck should always use a configuration file to pass the username and password instead of using the command line, but I don't know if it does in the current versions.

If you'd like to close this bug, it's fine by me.  We'd gotten a large number of complaints about passing the password on the command line being insecure and thought we'd pass it along.
Comment 6 Rene Ladan freebsd_committer freebsd_triage 2015-11-10 21:14:16 UTC 
This port expired on 2015-11-10 and has been removed.