search

saltstack-formulas / mysql-formula

Install the MySQL client and/or server
http://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html
Other
85 stars 367 forks source link

[BUG] MySQL root password vulnerability and proposed fix #258

Open an0nz opened 3 years ago

an0nz commented 3 years ago

Your setup

Formula commit hash / release tag

v0.54.2

Versions reports (master & minion)

Salt: 2019.2.7 System Versions: dist: centos 8.2.2004 Core locale: UTF-8 machine: x86_64 release: 5.4.39-linuxkit system: Linux version: CentOS Linux 8.2.2004 Core

Pillar / config used

mysql:
  server:
    root_password: secret123

  database:
    - test

  schema:
    test:
      load: true
      source: salt://files/test.schema

  user:
    myuser
      password: anothersecret
      host: localhost
      databases:
        - database: test
          grants: ['all privileges']

Bug details

Describe the bug

When the state is run both the logs and result printed to console display the MySQL root or salt password when configuring MySQL and importing schemas.

      ID: mysql_root_password
Function: cmd.run
    Name: mysqladmin --host "localhost" --user root password 'secret123'
  Result: True
 Comment: unless condition is true
 Started: 04:11:30.934880
Duration: 12.512 ms
 Changes:
      ID: mysql_db_0_load
Function: cmd.wait
    Name: mysql -u root -hlocalhost -psecret123 test < /etc/mysql/smp.schema
  Result: True
 Comment: Command "mysql -u root -hlocalhost -psecret123 test < /etc/mysql/smp.schema" run
 Started: 04:11:30.974880
Duration: 21.572 ms
 Changes:
          ----------
          pid:
              7039
          retcode:
              0
          stderr:
              mysql: [Warning] Using a password on the command line interface can be insecure.
          stdout:

Steps to reproduce the bug

Run the state with the provided pillar data

Expected behaviour

Root passwords should not be visible at any time or in any logs during execution of the state

Attempts to fix the bug

This can be resolved by using environment variables and setting the output_loglevel to quiet for cmd.run states with sensitive information as covered in https://github.com/saltstack/salt/issues/30842

Existing mysql_root_password State https://github.com/saltstack-formulas/mysql-formula/blob/e20d7c69d12777365ff95c841decfe7dc05c4227/mysql/server.sls#L97-L102

Fixed mysql_root_password State

mysql_root_password:
  cmd.run:
    - name: mysqladmin --host "{{ mysql_host }}" --user {{ mysql_root_user }} password $SALT_PASS
    - unless: mysql --host "{{ mysql_host }}" --user {{ mysql_root_user }} --password=$SALT_PASS --execute="SELECT 1;"
    - env:
      - SALT_PASS: "{{ mysql_root_password|replace("'", "'\"'\"'") }}"
    - output_loglevel: quiet
    - require:
      - service: mysqld-service-running

Existing Schema State https://github.com/saltstack-formulas/mysql-formula/blob/e20d7c69d12777365ff95c841decfe7dc05c4227/mysql/database.sls#L61-L67

Fixed Schema State

{{ state_id }}_load:
  cmd.wait:
    - name: mysql -u {{ mysql_salt_user }} -h{{ mysql_host }} {% if mysql_salt_pass %}-p{%- endif %}$SALT_PASS {{ database }} < /etc/mysql/{{ database }}.schema
    - env:
      - SALT_PASS: "{{ mysql_salt_pass }}"
    - output_loglevel: quiet
    - watch:
      - file: {{ state_id }}_schema
      - mysql_database: {{ state_id }}
{%- endif %}
an0nz commented 3 years ago

This will also resolve issue https://github.com/saltstack-formulas/mysql-formula/issues/75 reported in 2015