[Nagiosplug-devel] [ nagiosplug-Bugs-2531905 ] check_mysql does not properly handle passwords in from file.

SourceForge.net noreply at sourceforge.net
Wed May 20 06:24:20 CEST 2009


Bugs item #2531905, was opened at 2009-01-23 18:13
Message generated for change (Settings changed) made by dermoth
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=2531905&group_id=29880

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Argument proccessing
Group: v1.4.14
>Status: Closed
>Resolution: Fixed
Priority: 5
Private: No
Submitted By: Ben Timby (btimby)
Assigned to: Thomas Guyot-Sionnest (dermoth)
Summary: check_mysql does not properly handle passwords in from file.

Initial Comment:
-----------------
     PROBLEM
-----------------
The mysql client can use a password from a configuration file. This feature is nice as it keeps the password off of the command line.

The check_mysql function does not allow for this. Even though the program informs you via a warning that passing the password on the command line is insecure. It does not allow for the best alternative.

According to mysql, the mysql_connect() and mysql_real_connect() both allow a value of NULL to be given for the password.

http://dev.mysql.com/doc/refman/5.1/en/mysql-real-connect.html

In this case, if a password was read from the option file, it will be used for authentication. The constant "" is used in the case of NO password.

Right now, check_mysql, in the validate_arguments() function sets the value of db_pass to "" if it was not provided on the command line. This prevents the password configured in the option file from being used.

-----------------
   TEST CASE
-----------------
# vi $HOME/.my.cnf
[client]
password=foo
# ./check_mysql
Access denied for user 'root'@'localhost' (using password: NO)

-----------------
      PATCH
-----------------
The attached patch remedies this. It uses the same method as the mysql client to determine if NULL or "" should be used.

If -p is provided, without a value, then "" is used. If -p is omitted, then NULL is used. If -p is provided WITH a password, that password is used.

----------------------------------------------------------------------

>Comment By: Thomas Guyot-Sionnest (dermoth)
Date: 2009-05-20 00:24

Message:
Ok, I looked at it... FYI you didn't update the longopt struct
(--password). OTOH I don't see why make -p argument optional; users can
specify '-p ""' if they need an empty password - without -p will work just
like the mysql client.

Therefore I'm only committing the last hunk. Feel free to comment if you
think there's a real need for an optional argument for -p.

This is fixed in Git.

----------------------------------------------------------------------

Comment By: Ben Timby (btimby)
Date: 2009-02-11 08:28

Message:
Hopefully that last post clears up your questions, if not here is a short
explaination.

While the check_mysql plugin always called mysql_options(), it also always
set db_pass to "". This caused the password from the file to be ignored as
the password was explicitly set to "".

To counteract this, I modified the source so that if the -p parameter is
omitted, then db_pass is left as NULL. If the -p parameter is provided, but
no password is provided, then db_pass is set to "" (like before). If a
password is provided as an argument to -p, then that value is copied to
db_pass.

----------------------------------------------------------------------

Comment By: Ben Timby (btimby)
Date: 2009-02-11 08:22

Message:
dermoth, I think you read the patch wrong. The last hunk REMOVES the
setting of db_pass to null when it is ''. That was basically the whole
problem :-).

--
@@ -361,9 +365,6 @@
 	if (db_host == NULL)
 		db_host = strdup("");
 
-	if (db_pass == NULL)
-		db_pass = strdup("");
-
 	if (db == NULL)
 		db = strdup("");
--

The difference between '', NULL and <password> is explained at the link I
sent in my original bug report:

http://dev.mysql.com/doc/refman/5.1/en/mysql-real-connect.html

I reproduce the relevant part below...

--
 For some parameters, it is possible to have the value taken from an
option file rather than from an explicit value in the mysql_real_connect()
call. To do this, call mysql_options() with the MYSQL_READ_DEFAULT_FILE or
MYSQL_READ_DEFAULT_GROUP option before calling mysql_real_connect(). Then,
in the mysql_real_connect() call, specify the “no-value” value for each
parameter to be read from an option file:

    *  For passwd, specify a value of NULL. (For the password, a value of
the empty string in the mysql_real_connect() call cannot be overridden in
an option file, because the empty string indicates explicitly that the
MySQL account must have an empty password.)
--

----------------------------------------------------------------------

Comment By: Thomas Guyot-Sionnest (dermoth)
Date: 2009-01-23 19:03

Message:
Thanks for your patch. There's one thing though that I don't understand,
since it already sets db_pass to "" when null (last hunk of your patch does
it), why do you need to do this using -p?

Can you explain the difference between db_pass=NULL, ="" and =<password>,
or point me to the right place in the libmysql documentation?

You should also be aware that you can also use the extra-opts feature to
use a file for the password argument (you need to enable it with configure;
I know some packages enable it by default), although I highly suggest to
use the latest snapshot until the 1.4.14 release as there have been some
important fixes since 1.4.13.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=2531905&group_id=29880




More information about the Devel mailing list