From owner-freebsd-database  Sun Nov  3 15:49:43 2002
Delivered-To: freebsd-database@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A8FE137B401
	for <freebsd-database@freebsd.org>; Sun,  3 Nov 2002 15:49:42 -0800 (PST)
Received: from misery.sdf.com (misery.sdf.com [207.200.153.226])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5044043E75
	for <freebsd-database@freebsd.org>; Sun,  3 Nov 2002 15:49:41 -0800 (PST)
	(envelope-from tom@sdf.com)
Received: from tom (helo=localhost)
	by misery.sdf.com with local-esmtp (Exim 2.12 #1)
	id 188TSS-0007Ro-00; Sun, 3 Nov 2002 14:43:04 -0800
Date: Sun, 3 Nov 2002 14:43:02 -0800 (PST)
From: Tom Samplonius <tom@sdf.com>
To: patrick gibson <freebsd@patrickg.com>
Cc: freebsd-database@freebsd.org
Subject: Re: MySQL Password not masked in process listings
In-Reply-To: <B9E9705D.6E34%freebsd@patrickg.com>
Message-ID: <Pine.BSF.4.05.10211031440160.5111-100000@misery.sdf.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-database@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-database.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-database>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-database>
X-Loop: FreeBSD.ORG


On Sat, 2 Nov 2002, patrick gibson wrote:

> I've been noticing that in FreeBSD, when I run the MySQL client with a
> password specified on the command line (eg. mysql -pMyPassword MY_DATABASE),
> the password is not masked when I (or any other user!) issue a "ps" or "w"
> command.
> 
> > patrick 47724 ...  11:49AM   0:00.03 mysql -pMyPassword MY_DATABASE
> 
> I recently switched from Linux, and somehow it knew to mask the password:
> 
> > patrick 47724 ...  11:49AM   0:00.03 mysql -p******* MY_DATABASE
> 
> Does anyone know if this is a FreeBSD issue, or is it a problem in the way
> that MySQL is compiled for FreeBSD?
...

  It is phony security.  It is possible for a process to change its
process name, but it can't be changed immediately, and it differs somewhat
between OSes on how this works.  But even on Linux, your password is
visible, until mysql overwrites it.  That leaves a window between the
exec() of mysql and when mysql starts and overwrites the process name.  I
would just need to run "ps" in a loop, and I would eventually catch your
password.  If it would quite easy if you run mysql from Cron, and I know
exactly when it will be started!

Tom


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-database" in the body of the message