diff options
| author | Gabriel Filion <lelutin@gmail.com> | 2010-12-14 12:10:54 -0500 |
|---|---|---|
| committer | mh <mh@immerda.ch> | 2010-12-18 12:50:17 +0100 |
| commit | e894ddb718fc17f8d541d1b9fcb5ecb2107ade20 (patch) | |
| tree | 8b9d61e95f5dd87c24413af84e1ae7c3d2ac56ea /manifests | |
| parent | fa6725705679a79abb1e9cc12e2f1b3d803c623f (diff) | |
Avoid root password leak to process list
The current procedure of setting the root MySQL password leaks the root
password by giving it to the setmysqlpass.sh script on the command line.
This means that during the couple of seconds that the script is
executing, the password is visible in the process list!
Since we're already writing the password in the /root/.my.cnf file, make
the setmysqlpass.sh script parse this file to retrieve the password
instead of receiving it from a command line argument.
Also, in some shells the 'echo' command might appear in the process
list. Use a heredoc notation to create the output without using a
command.
Signed-off-by: Gabriel Filion <lelutin@gmail.com>
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/server/base.pp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/manifests/server/base.pp b/manifests/server/base.pp index bdc81b1..5031876 100644 --- a/manifests/server/base.pp +++ b/manifests/server/base.pp @@ -55,7 +55,7 @@ class mysql::server::base { } exec { 'mysql_set_rootpw': - command => "/usr/local/sbin/setmysqlpass.sh ${mysql_rootpw}", + command => '/usr/local/sbin/setmysqlpass.sh', unless => "mysqladmin -uroot status > /dev/null", require => [ File['mysql_setmysqlpass.sh'], Package['mysql-server'] ], refreshonly => true, |