From af8b414c325dd2454c8fc98e9b1b0829c834c856 Mon Sep 17 00:00:00 2001
From: Gabriel Filion <lelutin@gmail.com>
Date: Tue, 14 Dec 2010 12:10:54 -0500
Subject: Avoid root password leak to process list

The current procedure of setting the root MySQL password leaks the root
password by giving it to the setmysqlpass.sh script on the command line.
This means that during the couple of seconds that the script is
executing, the password is visible in the process list!

Since we're already writing the password in the /root/.my.cnf file, make
the setmysqlpass.sh script parse this file to retrieve the password
instead of receiving it from a command line argument.

Also, in some shells the 'echo' command might appear in the process
list. Use a heredoc notation to create the output without using a
command.

Signed-off-by: Gabriel Filion <lelutin@gmail.com>
---
 files/scripts/CentOS/setmysqlpass.sh | 9 +++++++--
 files/scripts/Debian/setmysqlpass.sh | 9 +++++++--
 manifests/server/base.pp             | 2 +-
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/files/scripts/CentOS/setmysqlpass.sh b/files/scripts/CentOS/setmysqlpass.sh
index d762a20..01d8fbf 100644
--- a/files/scripts/CentOS/setmysqlpass.sh
+++ b/files/scripts/CentOS/setmysqlpass.sh
@@ -1,12 +1,17 @@
 #!/bin/sh
 
-test $# -gt 0 || exit 1
+test -f /root/.my.cnf || exit 1
+
+rootpw=$(grep password /root/.my.cnf | sed -e 's/^[^=]*= *\(.*\) */\1/')
 
 /sbin/service mysqld stop
 
 /usr/libexec/mysqld --skip-grant-tables --user=root --datadir=/var/lib/mysql/data --log-bin=/var/lib/mysql/mysql-bin &
 sleep 5
-echo "USE mysql; UPDATE user SET Password=PASSWORD('$1') WHERE User='root' AND Host='localhost';" | mysql -u root
+mysql -u root mysql <<EOF
+UPDATE mysql.user SET Password=PASSWORD('$rootpw') WHERE User='root' AND Host='localhost';
+FLUSH PRIVILEGES;
+EOF
 killall mysqld
 # chown to be on the safe side
 chown mysql.mysql /var/lib/mysql/mysql-bin.*
diff --git a/files/scripts/Debian/setmysqlpass.sh b/files/scripts/Debian/setmysqlpass.sh
index 5bd63e2..5f345fb 100644
--- a/files/scripts/Debian/setmysqlpass.sh
+++ b/files/scripts/Debian/setmysqlpass.sh
@@ -1,12 +1,17 @@
 #!/bin/sh
 
-test $# -gt 0 || exit 1
+test -f /root/.my.cnf || exit 1
+
+rootpw=$(grep password /root/.my.cnf | sed -e 's/^[^=]*= *\(.*\) */\1/')
 
 /etc/init.d/mysql stop
 
 /usr/sbin/mysqld --skip-grant-tables --user=root --datadir=/var/lib/mysql --log-bin=/var/lib/mysql/mysql-bin &
 sleep 5
-echo "USE mysql; UPDATE user SET Password=PASSWORD('$1') WHERE User='root' AND Host='localhost';" | mysql -u root
+mysql -u root mysql <<EOF
+UPDATE mysql.user SET Password=PASSWORD('$rootpw') WHERE User='root' AND Host='localhost';
+FLUSH PRIVILEGES;
+EOF
 killall mysqld
 sleep 5
 # chown to be on the safe side
diff --git a/manifests/server/base.pp b/manifests/server/base.pp
index 480eda9..bb0685c 100644
--- a/manifests/server/base.pp
+++ b/manifests/server/base.pp
@@ -52,7 +52,7 @@ class mysql::server::base {
     }
     
     exec { 'mysql_set_rootpw':
-        command => "${mysql_moduledir}/server/setmysqlpass.sh ${mysql_rootpw}",
+        command => "${mysql_moduledir}/server/setmysqlpass.sh",
         unless => "mysqladmin -uroot status > /dev/null",
         require => [ File['mysql_setmysqlpass.sh'], Package['mysql-server'] ],
         refreshonly => true,
-- 
cgit v1.2.3