Date: Sun, 3 Nov 2002 14:43:02 -0800 (PST) From: Tom Samplonius <tom@sdf.com> To: patrick gibson <freebsd@patrickg.com> Cc: freebsd-database@freebsd.org Subject: Re: MySQL Password not masked in process listings Message-ID: <Pine.BSF.4.05.10211031440160.5111-100000@misery.sdf.com> In-Reply-To: <B9E9705D.6E34%freebsd@patrickg.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 2 Nov 2002, patrick gibson wrote: > I've been noticing that in FreeBSD, when I run the MySQL client with a > password specified on the command line (eg. mysql -pMyPassword MY_DATABASE), > the password is not masked when I (or any other user!) issue a "ps" or "w" > command. > > > patrick 47724 ... 11:49AM 0:00.03 mysql -pMyPassword MY_DATABASE > > I recently switched from Linux, and somehow it knew to mask the password: > > > patrick 47724 ... 11:49AM 0:00.03 mysql -p******* MY_DATABASE > > Does anyone know if this is a FreeBSD issue, or is it a problem in the way > that MySQL is compiled for FreeBSD? ... It is phony security. It is possible for a process to change its process name, but it can't be changed immediately, and it differs somewhat between OSes on how this works. But even on Linux, your password is visible, until mysql overwrites it. That leaves a window between the exec() of mysql and when mysql starts and overwrites the process name. I would just need to run "ps" in a loop, and I would eventually catch your password. If it would quite easy if you run mysql from Cron, and I know exactly when it will be started! Tom To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-database" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.10211031440160.5111-100000>