produce managed file with mysql root acces from salt module related to pillar root_password about mysql-formula HOT 3 OPEN

Wouldn't leak the mysql root passwords?

Not more than in the pillar, nor in other place you may need to store it:

• root password is stored in debconf database as well, as seen in #43
• on debian, you can have root privileges with: mysql --defaults-file=/etc/mysql/debian.cnf mysql
• also by restarting the mysql server without grant tables:
• service mysql stop
• /usr/bin/mysqld_safe --skip-grant-tables

A person who has root on that box does not necessarily know the MySQL root password:
Drawback, it exposes root password to any root shell users.

A boolean in the pillar will be required to enable this feature.

(pillar suggestion)

mysql:
  server:
    enable_root_my_cnf: True

Any security suggestion are welcome.

from mysql-formula.

Other way to fetch mysql's root password with shell root access:

for admin knowing the pillar structure can be fetched on the minion:

salt-call config.get mysql:server:root_password

Also, the following confirms that debian-sys-maint user has all privileges on debian jessie, mariadb 10.0, here is the SQL query for creating this system user:

from: /var/lib/dpkg/info/mariadb-server-10.0.postinst

    replace_query=`/bin/echo -e \
        "USE mysql;\n" \
        "SET sql_mode='';\n" \
        "REPLACE INTO user SET " \
        "  host='localhost', user='debian-sys-maint', password=password('$pass'), " \
        "  Select_priv='Y', Insert_priv='Y', Update_priv='Y', Delete_priv='Y', " \
        "  Create_priv='Y', Drop_priv='Y', Reload_priv='Y', Shutdown_priv='Y', " \
        "  Process_priv='Y',  File_priv='Y', Grant_priv='Y', References_priv='Y', " \
        "  Index_priv='Y', Alter_priv='Y', Super_priv='Y', Show_db_priv='Y', "\
        "  Create_tmp_table_priv='Y', Lock_tables_priv='Y', Execute_priv='Y', "\
        "  Repl_slave_priv='Y', Repl_client_priv='Y', Create_view_priv='Y', "\
        "  Show_view_priv='Y', Create_routine_priv='Y', Alter_routine_priv='Y', "\
        "  Create_user_priv='Y', Event_priv='Y', Trigger_priv='Y',"\
        "  ssl_cipher='', x509_issuer='', x509_subject='';"`;

Which can be reseted, simply by:

GRANT ALL ON *.* TO 'debian-sys-maint'@'localhost' IDENTIFIED BY 'password from debian.cnf' WITH GRANT OPTION;

from mysql-formula.

Another case where the password is visible, and could be hidden:

salt-call -ldebug state.apply mysql.database

can output

          ID: mysql_db_0_load
    Function: cmd.wait
        Name: mysql -u root -hlocalhost -psomepass foo < /etc/mysql/foo.schema
      Result: False
     Comment: One or more requisite failed: mysql.database.mysql_db_0_schema
     Started: 
    Duration: 
     Changes:  

from mysql-formula.