MySQL5/EnvironmentVariablePassword

Description

Through the terminal it is possible to show the configured environment variables on the screen. In case MYSQL_PWD is configured, this will expose the password for connecting to the database, which can bring serious security risks.

With this test, it is possible to verify the mentioned configuration and ensure greater security for the database.

Rationale

Some versions of the ps software include an option to display the environment of running processes. Therefore, your password would be in plain text and can be seen by any user. For better security of a MySQL server, this option should never be enabled.

It is recommended that the password is always requested by the client software.

The solution to the problem presented is to remove the MYSQL_PWD property from the environment. To do this, you must run the unset MYSQL_PWD command. It may happen that some users and/or scripts may add it again. Therefore, they must be analyzed and, if necessary, removed.

Examples

In many cases, the automatic loading of environment variables during system startup is in the .bashrc, .profile or .bash_profile files, located in the users' home folder. To send all users' folders open, you can run the following command to check if any users are setting the MYSQL_PWD property in the environment.

grep MYSQL_PWD /home/*/.{bashrc,profile,bash_profile}

With the above command, if any reference is found to the word MYSQL_PWD, the file path and the contents of the line where it is found will be displayed.

/home/user/.bashrc:export MYSQL_PWD="MysqlPassword"

As you can see, there is a /home/user/.bashrc file with a line containing export MYSQL_PWD="MysqlPassword". This is an example of a bad configuration and must be corrected by deleting this line from the file, otherwise your server will not be secure.