mysqldump-secure
mysqldump-secure copied to clipboard
cytopia
Absolutely unsecure
Thank you for publishing this :)
The software is very nice - uses itself mysqldump . It produces a secure (compressed and encrypted) output but - due to the fact that everything is defined via plain text, included passwords, it is highly insecure.
Every developer / hacker is able to de-engineer it, to grasp the connection parametes, to use them to run a simple mysqldump, to steal DB data.
@redskate thanks for raising the concern.
due to the fact that everything is defined via plain text, included passwords,
If you've been on any Debian machine with MySQL installed, you will notice that there is also a /etc/mysql/debian.cnf which contains MySQL credentials with root level access to DB. This is normal behaviour and the file has according file level permissions so that only the root user can access the file (with clear-text credentials). This is pretty mich the same with mysqldump-secure configuration files.
Usually also if you compromise the root user, you can always compromise the rest of the system.
Other than this, can you please elaborate how else a developer would steal the connection parameters?
Perfectly right, once an aggressor has root password, also the DB on that computer is lost.
I was hoping - reading the word secure, that there could be more security even having root password. Why making then things “secure”? To feed an assurance? ;)
For instance (my suggestions):
- encrypt (and do not expose) .cnf information which should be given via terminal once
- encapsulate mysqldump - using cnf + mysqldump a user can access and export everything but not entrcypted.
- do not use /bin/sh (e.g. I remove /bin/sh from my docker containers to offer bash access)
100% security is never… but one-way-inputs could help avoiding decryption in some cases. E.g. if an aggressor needs too long to decrypt, (s)he will leave the project for another easier case ...
On 2 Jul 2021, at 10:18, cytopia @.***> wrote:
@redskate https://github.com/redskate thanks for raising the concern.
due to the fact that everything is defined via plain text, included passwords,
If you've been on any Debian machine with MySQL installed, you will notice that there is also a /etc/mysql/debian.cnf which contains MySQL credentials with root level access to DB. This is normal behaviour and the file has according file level permissions so that only the root user can access the file (with clear-text credentials). This is pretty mich the same with mysqldump-secure configuration files.
Usually also if you compromise the root user, you can always compromise the rest of the system.
Other than this, can you please elaborate how else a developer would steal the connection parameters?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cytopia/mysqldump-secure/issues/34#issuecomment-872812427, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAHOXLK4YI53SMWXATUYCLDTVVY4JANCNFSM47VI34FA.