Avoid root password leak to process list

The current procedure of setting the root MySQL password leaks the root password by giving it to the setmysqlpass.sh script on the command line. This means that during the couple of seconds that the script is executing, the password is visible in the process list! Since we're already writing the password in the /root/.my.cnf file, make the setmysqlpass.sh script parse this file to retrieve the password instead of receiving it from a command line argument. Also, in some shells the 'echo' command might appear in the process list. Use a heredoc notation to create the output without using a command. Signed-off-by: Gabriel Filion <lelutin@gmail.com>
author: Gabriel Filion <lelutin@gmail.com> 2010-12-14 12:10:54 -0500
committer: Gabriel Filion <lelutin@gmail.com> 2010-12-15 08:30:53 -0500
commit: af8b414c325dd2454c8fc98e9b1b0829c834c856 (patch)
tree: 8611db67a1a2bcc4795a60bc19a8ca923fc07d35 /manifests/server
parent: ec16a32708eac64bb3189567a0cceb6ac7378353 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/manifests/server/base.pp b/manifests/server/base.pp
index 480eda9..bb0685c 100644
--- a/manifests/server/base.pp
+++ b/manifests/server/base.pp
@@ -52,7 +52,7 @@ class mysql::server::base {
     }
     
     exec { 'mysql_set_rootpw':
-        command => "${mysql_moduledir}/server/setmysqlpass.sh ${mysql_rootpw}",
+        command => "${mysql_moduledir}/server/setmysqlpass.sh",
         unless => "mysqladmin -uroot status > /dev/null",
         require => [ File['mysql_setmysqlpass.sh'], Package['mysql-server'] ],
         refreshonly => true,
author	Gabriel Filion <lelutin@gmail.com>	2010-12-14 12:10:54 -0500
committer	Gabriel Filion <lelutin@gmail.com>	2010-12-15 08:30:53 -0500
commit	af8b414c325dd2454c8fc98e9b1b0829c834c856 (patch)
tree	8611db67a1a2bcc4795a60bc19a8ca923fc07d35 /manifests/server
parent	ec16a32708eac64bb3189567a0cceb6ac7378353 (diff)