Hello, During some test of pmm tool, we find a strange behaviour from security point of view.
The pmm-mysql-metrics-42002.service file exposes the username and password
credentials in plain text to non-privileged users via the DATA_SOURCE_NAME
Environment variable.WIth a non-privileged user:
The password is in clear text for all users. This user asks SUPER privileges to works.
Other strange behaviour appear when we activate mysql metric to PMM
pmm-admin add mysql --user USER --password PASSWORD
It’s not possible to use prompt to hide the password. Password is appearing in bash history. Is it possible to use a mysql user with Linux authentication (auth_socket) ? This will solve our password problems. Thank you for your help,
It is possible to use UNIX socket with --socket flag, and MySQL client configuration file with --defaults-file flag. The later one can contain the password and be protected. pmm-admin add mysql also can use my_print_defaults tool for using an encrypted password.
alexey.palazhchenko said:
It is possible to use UNIX socket with --socket flag, and MySQL client configuration file with --defaults-file flag. The later one can contain the password and be protected. pmm-admin add mysql also can use my_print_defaults tool for using an encrypted password.
Hello, Thanks for answer, but I didn't find on documentation or on web example to use my_print_defaultstool with pmm-admin add mysql.Do you use like :
```
pmm-adm add mysql --user USER --password `my_print_defaults LOGIN_PATH_NAME -s |
grep password | cut -d "=" -f 2`
```
or there is a simple way ? Thank in advance
aurelfer said:
... The pmm-mysql-metrics-42002.service file exposes the username and password
credentials in plain text to non-privileged users via the DATA_SOURCE_NAME
Environment variable.WIth a non-privileged user:
```
systemctl cat pmm-mysql-metrics-42002 ... Environment="DATA_SOURCE_NAME=PERCONA_USER:CLEAR_PASSWORD@unix(/var/run/mysqld/mysqld.sock)/?parseTime=true&time_zone='%%2b00%%3a00'&loc=UTC" Restart=always ...
```
The password is in clear text for all users. This user asks SUPER privileges to works....
When we try to secure this point, it's clearly not possible:
```
# ls -lah /etc/systemd/system/pmm-mysql-metrics-42002.service -rw-r--r-- 1 root root 1.5K Aug 4 11:15 /etc/systemd/system/pmm-mysql-metrics-42002.service # chmod 640 /etc/systemd/system/pmm-mysql-metrics-42002.service
```
We start some test to check if this break something on systemctl.
When I read Jira (percona), Forum and documentation, I have the feeling it's normal behaviour for Percona's users.For administrator Linux teams, DBA and Security, of my company, it's look like to security failure. Is-it a normal behavior or do I have to create a Jira ticket ?
It was more easier to configure the tool for PostgreSQL databases than MySQL. We use Os authtication on PostgreSQL pg_hba and create dedicate user on OS and on Postgres.
Hello.
In my system, mysql instance runs under mysql OS user, and pmm client under pmm OS user. I cannot change that.
How can I secure mysql SUPER password in this case?
Thanks and Regards,
Elisa