Bug 156076 - mysqlhotcopy is a security risk
Summary: mysqlhotcopy is a security risk
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: mysql
Version: 3
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tom Lane
QA Contact: David Lawrence
URL:
Whiteboard:
: 156077 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-04-27 12:25 UTC by Nigel Horne
Modified: 2013-07-03 03:05 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-02-08 03:33:52 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Nigel Horne 2005-04-27 12:25:40 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050416 Fedora/1.0.3-1.3.1 Firefox/1.0.3

Description of problem:
Mysqlhotcopy allows any user to view valid login names and password for a MySQL database

Version-Release number of selected component (if applicable):
mysql-3.23.58-16.FC3.1

How reproducible:
Always

Steps to Reproduce:
1. run mysqlhotcopy on a large database
2. on another terminal run "ps -ef"
3. view an unencrypted username and password for the database
  

Actual Results:  unencrypted username and password for the database are seen

Expected Results:  The username and passwords should be read from a file that is not world readable

Additional info:
Comment 1 Tom Lane 2005-04-27 14:20:53 UTC 
*** Bug 156077 has been marked as a duplicate of this bug. ***
Comment 2 Tom Lane 2005-05-09 15:33:42 UTC 
Isn't this true only if you use the --password option, which the documentation
specifically warns you to avoid for precisely this reason?
Comment 3 petrosyan 2008-02-08 03:33:52 UTC 
Fedora Core 3 is not maintained anymore.

Setting status to "INSUFFICIENT_DATA". If you can reproduce this bug in the
current Fedora release, please reopen this bug and assign it to the
corresponding Fedora version.
Note You need to log in before you can comment on or make changes to this bug.