crpb / grommunio Goto Github PK

As of writing grommunio-spam-run.sh and grommunio-ham-run.sh parse /etc/gromox/mysql_adaptor.cfg and construct arguments to mysql – including the password (aside of this the current implementation might break with passwords containing spaces, semicolons or other characters interpreted by the bash).

https://mariadb.com/kb/en/mysql-command-line-client/ (more or less a web version of the man page) says:

Specifying a password on the command line should be considered insecure. You can use an option file to avoid giving the password on the command line.

The MySQL 8.0 Reference Manual goes into the details with § 6.1.2.1 End-User Guidelines for Password Security regarding -p:

This is convenient but insecure. On some systems, your password becomes visible to system status programs such as ps that may be invoked by other users to display command lines. MySQL clients typically overwrite the command-line password argument with zeros during their initialization sequence. However, there is still a brief interval during which the value is visible. Also, on some systems this overwriting strategy is ineffective and the password remains visible to ps. (SystemV Unix systems and perhaps others are subject to this problem.)

While I expect a system running grommunio to be sealed system (= not to be used by regular shell users), this can not be expected in general, nor does it seem to be required by the documentation. This insecure way of passing a password to mysql might be treated as security flaw, e.g. CWE-214: Invocation of Process Using Visible Sensitive Information. Note that I don't treat this as overly critical, because of the before mentioned behavior of MySQL clients.

My recommendation is to parse /etc/gromox/mysql_adaptor.cfg and to write a temporary configuration file (often known as .my.cnf) that could be passed using --defaults-file=<path to temporary configuration file> to mysql. Of course that temporary configuration file needs proper permissions and should be deleted after usage.

Interestingly, grommunio-index had the same issue, being fixed with grommunio/grommunio-index@4ebe9ad, thus a similar solution should also fit for grommunio-spam-run.sh and grommunio-ham-run.sh. By the way, I did not find any upstream for grommunio-spam-run.sh, even 629ab04 mentions one, however /usr/sbin/grommunio-spam-run.sh shipped by "grommunio-antispam" (RPM) package looks very similar. Is it possible that not all source code of the "grommunio-antispam" (RPM) package is currently publicly accessible (but still affected by the same weakness)?