Summary: | Security hole in manual MySQL upgrade guide | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Clock <clock> |
Component: | [OLD] Core system | Assignee: | Gentoo Linux bug wranglers <bug-wranglers> |
Status: | RESOLVED INVALID | ||
Severity: | normal | ||
Priority: | High | ||
Version: | 2005.1 | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.gentoo.org/doc/en/mysql-upgrading.xml | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Clock
2006-01-03 07:45:02 UTC
You should probably check things before you file bug reports, mysql hides the password from the ps list: tomk 7944 0.2 0.5 5128 2172 pts/18 T 15:49 0:00 mysql -uroot -px xxxxxxxxx It's done in a way that bash does exec into mysql and mysql then overwrites the commandline. However there exists short time when the password can be read. This short time is still a serious security hole. When the user performs a temporary DoS attack on the machine, he can slow down the scheduling and pageouts so much that he can actually intercept the password. |