passowrd in clear text in pmm-mysql-metrics-42002.service file

aurelfer · December 30, 2020, 4:26pm

Hello,
During some test of pmm tool, we find a strange behaviour from security point of view.

The pmm-mysql-metrics-42002.service file exposes the username and password
credentials in plain text to non-privileged users via the DATA_SOURCE_NAME
Environment variable.WIth a non-privileged user:

systemctl cat pmm-mysql-metrics-42002<br>...<br>Environment="DATA_SOURCE_NAME=<b>PERCONA_USER</b>:<b>CLEAR_PASSWORD</b>@unix(/var/run/mysqld/mysqld.sock)/?parseTime=true&amp;time_zone='%%2b00%%3a00'&amp;loc=UTC"<br>Restart=always<br>...<br>

The password is in clear text for all users. This user asks SUPER privileges to works.

Other strange behaviour appear when we activate mysql metric to PMM

pmm-admin add mysql --user USER --password PASSWORD

It’s not possible to use prompt to hide the password. Password is appearing in bash history.
Is it possible to use a mysql user with Linux authentication (auth_socket) ?
This will solve our password problems.
Thank you for your help,

Regards,

alexey.palazhchenko · December 30, 2020, 4:36pm

It is possible to use UNIX socket with --socket flag, and MySQL client configuration file with --defaults-file flag. The later one can contain the password and be protected. pmm-admin add mysql also can use my_print_defaults tool for using an encrypted password.

aurelfer · December 30, 2020, 4:36pm

alexey.palazhchenko said: It is possible to use UNIX socket with --socket flag, and MySQL client configuration file with --defaults-file flag. The later one can contain the password and be protected. pmm-admin add mysql also can use my_print_defaults tool for using an encrypted password.

Hello,
Thanks for answer, but I didn't find on documentation or on web example to use my_print_defaultstool with pmm-admin add mysql.Do you use like : ``` pmm-adm add mysql --user USER --password `my_print_defaults LOGIN_PATH_NAME -s | grep password | cut -d "=" -f 2` ``` or there is a simple way ?
Thank in advance

aurelfer · December 30, 2020, 4:36pm

aurelfer said: ...
The pmm-mysql-metrics-42002.service file exposes the username and password credentials in plain text to non-privileged users via the DATA_SOURCE_NAME Environment variable.WIth a non-privileged user:
``` systemctl cat pmm-mysql-metrics-42002
...
Environment="DATA_SOURCE_NAME=PERCONA_USER:CLEAR_PASSWORD@unix(/var/run/mysqld/mysqld.sock)/?parseTime=true&time_zone='%%2b00%%3a00'&loc=UTC"
Restart=always
...
``` The password is in clear text for all users. This user asks SUPER privileges to works....

When we try to secure this point, it's clearly not possible:
``` # ls -lah /etc/systemd/system/pmm-mysql-metrics-42002.service
-rw-r--r-- 1 root root 1.5K Aug 4 11:15 /etc/systemd/system/pmm-mysql-metrics-42002.service
# chmod 640 /etc/systemd/system/pmm-mysql-metrics-42002.service
``` We start some test to check if this break something on systemctl.

When I read Jira (percona), Forum and documentation, I have the feeling it's normal behaviour for Percona's users.For administrator Linux teams, DBA and Security, of my company, it's look like to security failure.
Is-it a normal behavior or do I have to create a Jira ticket ?

It was more easier to configure the tool for PostgreSQL databases than MySQL. We use Os authtication on PostgreSQL pg_hba and create dedicate user on OS and on Postgres.