Security concern on calling /usr/local/bin/clustercheck #96
Assignees
Labels
Comments
|
I agree. We should use login paths here, I have to check if this is supported on all platforms. |
|
I'd really like to implement this using MySQL's login paths, but puppetlabs-mysql currently does not support them: https://tickets.puppetlabs.com/browse/MODULES-1550 |
|
It looks like puppetlabs-mysql will receive support for login paths soon: |
|
The feature has been added (and now I finished my PR regarding the cklustercheck that might have blocked this), so it would be good to have this feature |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In the way, how /usr/local/bin/clustercheck is called by xinetd, the password of the MySQL user is visible in the command line (via 'ps -ef') during the execution of this script. But passwords should never be visible on the command line.
A better way for my opinion should be to generate a special 'my.somehow.cnf' somewhere in the filesystem, include the MySQL host, user and password as key-value-pairs inside the [client]-division of this file, restrict the access to this file, so that only the clustercheck-user is able to read this file and call mysql in the clustercheck-script with this file as a '--defaults-extra-file' parameter without giving host, user and password separately.
The text was updated successfully, but these errors were encountered: