[BUG] MySQL root password vulnerability and proposed fix

[an0nz]

Your setup

Formula commit hash / release tag

v0.54.2

Versions reports (master & minion)

Salt: 2019.2.7
System Versions:
dist: centos 8.2.2004 Core
locale: UTF-8
machine: x86_64
release: 5.4.39-linuxkit
system: Linux
version: CentOS Linux 8.2.2004 Core

Pillar / config used

mysql:
  server:
    root_password: secret123

  database:
    - test

  schema:
    test:
      load: true
      source: salt://files/test.schema

  user:
    myuser
      password: anothersecret
      host: localhost
      databases:
        - database: test
          grants: ['all privileges']

---

Bug details

Describe the bug

When the state is run both the logs and result printed to console display the MySQL root or salt password when configuring MySQL and importing schemas.

---

      ID: mysql_root_password
Function: cmd.run
    Name: mysqladmin --host "localhost" --user root password 'secret123'
  Result: True
 Comment: unless condition is true
 Started: 04:11:30.934880
Duration: 12.512 ms
 Changes:

---

---

      ID: mysql_db_0_load
Function: cmd.wait
    Name: mysql -u root -hlocalhost -psecret123 test < /etc/mysql/smp.schema
  Result: True
 Comment: Command "mysql -u root -hlocalhost -psecret123 test < /etc/mysql/smp.schema" run
 Started: 04:11:30.974880
Duration: 21.572 ms
 Changes:
          ----------
          pid:
              7039
          retcode:
              0
          stderr:
              mysql: [Warning] Using a password on the command line interface can be insecure.
          stdout:

---

Steps to reproduce the bug

Run the state with the provided pillar data

Expected behaviour

Root passwords should not be visible at any time or in any logs during execution of the state

Attempts to fix the bug

This can be resolved by using environment variables and setting the output_loglevel to quiet for cmd.run states with sensitive information as covered in saltstack/salt#30842

Existing mysql_root_password State

mysql-formula/mysql/server.sls

Lines 97 to 102 in e20d7c6

	mysql_root_password:
	cmd.run:
	- name: mysqladmin --host "{{ mysql_host }}" --user {{ mysql_root_user }} password '{{ mysql_root_password|replace("'", "'\"'\"'") }}'
	- unless: mysql --host "{{ mysql_host }}" --user {{ mysql_root_user }} --password='{{ mysql_root_password|replace("'", "'\"'\"'") }}' --execute="SELECT 1;"
	- require:
	- service: mysqld-service-running

Fixed mysql_root_password State

mysql_root_password:
  cmd.run:
    - name: mysqladmin --host "{{ mysql_host }}" --user {{ mysql_root_user }} password $SALT_PASS
    - unless: mysql --host "{{ mysql_host }}" --user {{ mysql_root_user }} --password=$SALT_PASS --execute="SELECT 1;"
    - env:
      - SALT_PASS: "{{ mysql_root_password|replace("'", "'\"'\"'") }}"
    - output_loglevel: quiet
    - require:
      - service: mysqld-service-running

Existing Schema State

mysql-formula/mysql/database.sls

Lines 61 to 67 in e20d7c6

	{{ state_id }}_load:
	cmd.wait:
	- name: mysql -u {{ mysql_salt_user }} -h{{ mysql_host }} {% if mysql_salt_pass %}-p{%- endif %}{{ mysql_salt_pass }} {{ database }} < /etc/mysql/{{ database }}.schema
	- watch:
	- file: {{ state_id }}_schema
	- mysql_database: {{ state_id }}
	{%- endif %}

Fixed Schema State

{{ state_id }}_load:
  cmd.wait:
    - name: mysql -u {{ mysql_salt_user }} -h{{ mysql_host }} {% if mysql_salt_pass %}-p{%- endif %}$SALT_PASS {{ database }} < /etc/mysql/{{ database }}.schema
    - env:
      - SALT_PASS: "{{ mysql_salt_pass }}"
    - output_loglevel: quiet
    - watch:
      - file: {{ state_id }}_schema
      - mysql_database: {{ state_id }}
{%- endif %}

[an0nz]

This will also resolve issue #75 reported in 2015