mirror of
https://github.com/MariaDB/server.git
synced 2025-08-07 00:04:31 +03:00
Refs codership/mysql-wsrep#141: this commit
1. Passes wsrep_sst_auth_value to SST scripts via WSREP_SST_OPT_AUTH envronmental variable, so it never appears on the command line 2. In mysqldump and xtrabackup* SST scripts which rely on MySQL authentication, instead of passing password on the command line, SST script sets MYSQL_PWD environment variable, so that password also never appears on the mysqldump/innobackupex command line.
This commit is contained in:
Alexey Yurchenko
committed by
Nirbhay Choubey
Nirbhay Choubey
parent
197e9d2559
commit
86ee30cea9
@@ -143,8 +143,8 @@ readonly WSREP_SST_OPT_AUTH
|
|||||||
if ! wsrep_auth_not_set
|
if ! wsrep_auth_not_set
|
||||||
then
|
then
|
||||||
readonly AUTH_VEC=(${WSREP_SST_OPT_AUTH//:/ })
|
readonly AUTH_VEC=(${WSREP_SST_OPT_AUTH//:/ })
|
||||||
WSREP_SST_OPT_USER="${AUTH_VEC[0]:-}"
|
[ -n "${AUTH_VEC[0]}" ] && WSREP_SST_OPT_USER="${AUTH_VEC[0]}"
|
||||||
WSREP_SST_OPT_PSWD="${AUTH_VEC[1]:-}"
|
[ -n "${AUTH_VEC[1]}" ] && WSREP_SST_OPT_PSWD="${AUTH_VEC[1]}"
|
||||||
fi
|
fi
|
||||||
readonly WSREP_SST_OPT_USER
|
readonly WSREP_SST_OPT_USER
|
||||||
readonly WSREP_SST_OPT_PSWD
|
readonly WSREP_SST_OPT_PSWD
|
||||||
|
|||||||
@@ -76,6 +76,17 @@ fi
|
|||||||
# word, it is arguably more secure than passing password on the command line.
|
# word, it is arguably more secure than passing password on the command line.
|
||||||
[ -n "$WSREP_SST_OPT_PSWD" ] && export MYSQL_PWD="$WSREP_SST_OPT_PSWD"
|
[ -n "$WSREP_SST_OPT_PSWD" ] && export MYSQL_PWD="$WSREP_SST_OPT_PSWD"
|
||||||
|
|
||||||
|
# Refs https://github.com/codership/mysql-wsrep/issues/141
|
||||||
|
# Passing password in MYSQL_PWD environment variable is considered
|
||||||
|
# "extremely insecure" by MySQL Guidelines for Password Security
|
||||||
|
# (https://dev.mysql.com/doc/refman/5.6/en/password-security-user.html)
|
||||||
|
# that is even less secure than passing it on a command line! It is doubtful:
|
||||||
|
# the whole command line is easily observable by any unprivileged user via ps,
|
||||||
|
# whereas (at least on Linux) unprivileged user can't see process environment
|
||||||
|
# that he does not own. So while it may be not secure in the NSA sense of the
|
||||||
|
# word, it is arguably more secure than passing password on the command line.
|
||||||
|
[ -n "$WSREP_SST_OPT_PSWD" ] && export MYSQL_PWD="$WSREP_SST_OPT_PSWD"
|
||||||
|
|
||||||
STOP_WSREP="SET wsrep_on=OFF;"
|
STOP_WSREP="SET wsrep_on=OFF;"
|
||||||
|
|
||||||
# mysqldump cannot restore CSV tables, fix this issue
|
# mysqldump cannot restore CSV tables, fix this issue
|
||||||
|
|||||||
@@ -165,9 +165,10 @@ env::append(const char* val)
|
|||||||
++len_;
|
++len_;
|
||||||
env_[len_] = NULL;
|
env_[len_] = NULL;
|
||||||
}
|
}
|
||||||
else errno_ = errno;
|
|
||||||
}
|
}
|
||||||
else errno_ = errno;
|
|
||||||
|
/* if either realloc() or strdup() failed, errno had been set */
|
||||||
|
errno_ = errno;
|
||||||
|
|
||||||
return errno_;
|
return errno_;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user