Refs codership/mysql-wsrep#141: this commit

1. Passes wsrep_sst_auth_value to SST scripts via WSREP_SST_OPT_AUTH envronmental variable, so it never appears on the command line 2. In mysqldump and xtrabackup* SST scripts which rely on MySQL authentication, instead of passing password on the command line, SST script sets MYSQL_PWD environment variable, so that password also never appears on the mysqldump/innobackupex command line.

Refs codership/mysql-wsrep#141: this commit
1. Passes wsrep_sst_auth_value to SST scripts via WSREP_SST_OPT_AUTH envronmental variable, so it never appears on the command line 2. In mysqldump and xtrabackup* SST scripts which rely on MySQL authentication, instead of passing password on the command line, SST script sets MYSQL_PWD environment variable, so that password also never appears on the mysqldump/innobackupex command line.
d78110e7 · Alexey Yurchenko · Nirbhay Choubey · 4f4f3a5e · d78110e7 · d78110e7
Commit d78110e7 authored Jun 06, 2015 by Alexey Yurchenko Committed by Nirbhay Choubey Sep 09, 2015
9 changed files
--- a/scripts/wsrep_sst_common.sh
+++ b/scripts/wsrep_sst_common.sh
-# Copyright (C) 2012-2014 Codership Oy
+# Copyright (C) 2012-2015 Codership Oy
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -20,7 +20,9 @@ set -u

 WSREP_SST_OPT_BYPASS=0
 WSREP_SST_OPT_DATA=""
-WSREP_SST_OPT_AUTH=""
+WSREP_SST_OPT_AUTH=${WSREP_SST_OPT_AUTH:-}
+WSREP_SST_OPT_USER=${WSREP_SST_OPT_USER:-}
+WSREP_SST_OPT_PSWD=${WSREP_SST_OPT_PSWD:-}

 while [ $# -gt 0 ]; do
 case "$1" in
@@ -28,10 +30,6 @@ case "$1" in
        readonly WSREP_SST_OPT_ADDR="$2"
        shift
        ;;
-    '--auth')
-        WSREP_SST_OPT_AUTH="$2"
-        shift
-        ;;
    '--bypass')
        WSREP_SST_OPT_BYPASS=1
        ;;
@@ -114,12 +112,30 @@ else
    MY_PRINT_DEFAULTS=$(which my_print_defaults)
 fi

+wsrep_auth_not_set()
+{
+    [ -z "$WSREP_SST_OPT_AUTH" -o "$WSREP_SST_OPT_AUTH" = "(null)" ]
+}
+
 # For Bug:1200727
-if $MY_PRINT_DEFAULTS -c $WSREP_SST_OPT_CONF sst | grep -q "wsrep_sst_auth";then
-    if [ -z "$WSREP_SST_OPT_AUTH" -o "$WSREP_SST_OPT_AUTH" = "(null)" ];then
-            WSREP_SST_OPT_AUTH=$(my_print_defaults -c $WSREP_SST_OPT_CONF sst | grep -- "--wsrep_sst_auth" | cut -d= -f2)
+if $MY_PRINT_DEFAULTS -c $WSREP_SST_OPT_CONF sst | grep -q "wsrep_sst_auth"
+then
+    if wsrep_auth_not_set
+    then
+        WSREP_SST_OPT_AUTH=$(MY_PRINT_DEFAULTS -c $WSREP_SST_OPT_CONF sst | grep -- "--wsrep_sst_auth" | cut -d= -f2)
    fi
 fi
+readonly WSREP_SST_OPT_AUTH
+
+# Splitting AUTH into potential user:password pair
+if ! wsrep_auth_not_set
+then
+    readonly AUTH_VEC=(${WSREP_SST_OPT_AUTH//:/ })
+    [ -n "${AUTH_VEC[0]}" ] && WSREP_SST_OPT_USER="${AUTH_VEC[0]}"
+    [ -n "${AUTH_VEC[1]}" ] && WSREP_SST_OPT_PSWD="${AUTH_VEC[1]}"
+fi
+readonly WSREP_SST_OPT_USER
+readonly WSREP_SST_OPT_PSWD

 if [ -n "${WSREP_SST_OPT_DATA:-}" ]
 then
@@ -128,7 +144,6 @@ else
    SST_PROGRESS_FILE=""
 fi

-
 wsrep_log()
 {
    # echo everything to stderr so that it gets into common error log

--- a/scripts/wsrep_sst_mysqldump.sh
+++ b/scripts/wsrep_sst_mysqldump.sh
-#!/bin/bash -e
-# Copyright (C) 2009 Codership Oy
+#!/bin/bash -ue
+# Copyright (C) 2009-2015 Codership Oy
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -38,7 +38,6 @@ local_ip()
    return 1
 }

-if test -z "$WSREP_SST_OPT_USER";  then wsrep_log_error "USER cannot be nil";  exit $EINVAL; fi
 if test -z "$WSREP_SST_OPT_HOST";  then wsrep_log_error "HOST cannot be nil";  exit $EINVAL; fi
 if test -z "$WSREP_SST_OPT_PORT";  then wsrep_log_error "PORT cannot be nil";  exit $EINVAL; fi
 if test -z "$WSREP_SST_OPT_LPORT"; then wsrep_log_error "LPORT cannot be nil"; exit $EINVAL; fi
@@ -54,7 +53,7 @@ then
 fi

 # Check client version
-CLIENT_MINOR=$(mysql --version | cut -d ' ' -f 6 | cut -d '.' -f 2)
+CLIENT_MINOR=$($MYSQL_CLIENT --version | cut -d ' ' -f 6 | cut -d '.' -f 2)
 if [ $CLIENT_MINOR -lt "5" ]
 then
    $MYSQL_CLIENT --version >&2
@@ -62,13 +61,18 @@ then
    exit $EINVAL
 fi

-# For Bug:1293798
-if [ -z "$WSREP_SST_OPT_PSWD" -a -n "$WSREP_SST_OPT_AUTH" ]; then
-    WSREP_SST_OPT_USER=$(echo $WSREP_SST_OPT_AUTH | cut -d: -f1)
-    WSREP_SST_OPT_PSWD=$(echo $WSREP_SST_OPT_AUTH | cut -d: -f2)
-fi
-AUTH="-u$WSREP_SST_OPT_USER"
-if test -n "$WSREP_SST_OPT_PSWD"; then AUTH="$AUTH -p$WSREP_SST_OPT_PSWD"; fi
+[ -n "$WSREP_SST_OPT_USER" ] && AUTH="-u$WSREP_SST_OPT_USER" || AUTH=
+
+# Refs https://github.com/codership/mysql-wsrep/issues/141
+# Passing password in MYSQL_PWD environment variable is considered
+# "extremely insecure" by MySQL Guidelines for Password Security
+# (https://dev.mysql.com/doc/refman/5.6/en/password-security-user.html)
+# that is even less secure than passing it on a command line! It is doubtful:
+# the whole command line is easily observable by any unprivileged user via ps,
+# whereas (at least on Linux) unprivileged user can't see process environment
+# that he does not own. So while it may be not secure in the NSA sense of the
+# word, it is arguably more secure than passing password on the command line.
+[ -n "$WSREP_SST_OPT_PSWD" ] && export MYSQL_PWD="$WSREP_SST_OPT_PSWD"

 STOP_WSREP="SET wsrep_on=OFF;"

@@ -104,10 +108,10 @@ MYSQL="$MYSQL_CLIENT $AUTH -h$WSREP_SST_OPT_HOST -P$WSREP_SST_OPT_PORT "\
 # need to disable logging when loading the dump
 # reason is that dump contains ALTER TABLE for log tables, and
 # this causes an error if logging is enabled
-GENERAL_LOG_OPT=`$MYSQL --skip-column-names -e"$STOP_WSREP SELECT @@GENERAL_LOG"`
-SLOW_LOG_OPT=`$MYSQL --skip-column-names -e"$STOP_WSREP SELECT @@SLOW_QUERY_LOG"`
-$MYSQL -e"$STOP_WSREP SET GLOBAL GENERAL_LOG=OFF"
-$MYSQL -e"$STOP_WSREP SET GLOBAL SLOW_QUERY_LOG=OFF"
+GENERAL_LOG_OPT=`$MYSQL --skip-column-names -e "$STOP_WSREP SELECT @@GENERAL_LOG"`
+SLOW_LOG_OPT=`$MYSQL --skip-column-names -e "$STOP_WSREP SELECT @@SLOW_QUERY_LOG"`
+$MYSQL -e "$STOP_WSREP SET GLOBAL GENERAL_LOG=OFF"
+$MYSQL -e "$STOP_WSREP SET GLOBAL SLOW_QUERY_LOG=OFF"

 # commands to restore log settings
 RESTORE_GENERAL_LOG="SET GLOBAL GENERAL_LOG=$GENERAL_LOG_OPT;"

--- a/scripts/wsrep_sst_rsync.sh
+++ b/scripts/wsrep_sst_rsync.sh
@@ -32,8 +32,8 @@ wsrep_check_programs rsync

 cleanup_joiner()
 {
-    wsrep_log_info "Joiner cleanup."
    local PID=$(cat "$RSYNC_PID" 2>/dev/null || echo 0)
+    wsrep_log_info "Joiner cleanup. rsync PID: $PID"
    [ "0" != "$PID" ] && kill $PID && sleep 0.5 && kill -9 $PID >/dev/null 2>&1 \
    || :
    rm -rf "$RSYNC_CONF"

--- a/scripts/wsrep_sst_xtrabackup-v2.sh
+++ b/scripts/wsrep_sst_xtrabackup-v2.sh
@@ -77,7 +77,6 @@ pcmd="pv $pvopts"
 declare -a RC

 INNOBACKUPEX_BIN=innobackupex
-readonly AUTH=(${WSREP_SST_OPT_AUTH//:/ })
 DATA="${WSREP_SST_OPT_DATA}"
 INFO_FILE="xtrabackup_galera_info"
 IST_FILE="xtrabackup_ist"
@@ -576,13 +575,14 @@ then
        itmpdir=$(mktemp -d)
        wsrep_log_info "Using $itmpdir as innobackupex temporary directory"

-        if [ "${AUTH[0]}" != "(null)" ]; then
-           INNOEXTRA+=" --user=${AUTH[0]}"
-       fi
+        if [ "$WSREP_SST_OPT_USER" != "(null)" ]; then
+           INNOEXTRA+=" --user=$WSREP_SST_OPT_USER"
+        fi

-        if [ ${#AUTH[*]} -eq 2 ]; then
-           INNOEXTRA+=" --password=${AUTH[1]}"
-        elif [ "${AUTH[0]}" != "(null)" ]; then
+        if [ -n "$WSREP_SST_OPT_PSWD" ]; then
+#           INNOEXTRA+=" --password=$WSREP_SST_OPT_PSWD"
+           export MYSQL_PWD="$WSREP_SST_OPT_PSWD"
+        else
           # Empty password, used for testing, debugging etc.
           INNOEXTRA+=" --password="
        fi

--- a/scripts/wsrep_sst_xtrabackup.sh
+++ b/scripts/wsrep_sst_xtrabackup.sh
@@ -61,7 +61,6 @@ pcmd="pv $pvopts"
 declare -a RC

 INNOBACKUPEX_BIN=innobackupex
-readonly AUTH=(${WSREP_SST_OPT_AUTH//:/ })
 DATA="${WSREP_SST_OPT_DATA}"
 INFO_FILE="xtrabackup_galera_info"
 IST_FILE="xtrabackup_ist"
@@ -435,13 +434,14 @@ then
    then
        TMPDIR="${TMPDIR:-/tmp}"

-        if [ "${AUTH[0]}" != "(null)" ]; then
-           INNOEXTRA+=" --user=${AUTH[0]}"
-       fi
+        if [ "$WSREP_SST_OPT_USER" != "(null)" ]; then
+           INNOEXTRA+=" --user=$WSREP_SST_OPT_USER"
+        fi

-        if [ ${#AUTH[*]} -eq 2 ]; then
-           INNOEXTRA+=" --password=${AUTH[1]}"
-        elif [ "${AUTH[0]}" != "(null)" ]; then
+        if [ -n "$WSREP_SST_OPT_PSWD"  ]; then
+#           INNOEXTRA+=" --password=$WSREP_SST_OPT_PSWD"
+           export MYSQL_PWD="$WSREP_SST_OPT_PSWD"
+        else
           # Empty password, used for testing, debugging etc.
           INNOEXTRA+=" --password="
        fi

--- a/sql/wsrep_notify.cc
+++ b/sql/wsrep_notify.cc
@@ -97,7 +97,7 @@ void wsrep_notify_status (wsrep_member_status_t    status,
    return;
  }

-  wsp::process p(cmd_ptr, "r");
+  wsp::process p(cmd_ptr, "r", NULL);

  p.wait();
  int err = p.error();

--- a/sql/wsrep_sst.cc
+++ b/sql/wsrep_sst.cc
--- a/sql/wsrep_utils.cc
+++ b/sql/wsrep_utils.cc
@@ -63,7 +63,7 @@ wsrep_prepend_PATH (const char* path)
        size_t const new_path_len(strlen(old_path) + strlen(":") +
                                  strlen(path) + 1);

-        char* const new_path (reinterpret_cast<char*>(malloc(new_path_len)));
+        char* const new_path (static_cast<char*>(malloc(new_path_len)));

        if (new_path)
        {
@@ -89,6 +89,91 @@ wsrep_prepend_PATH (const char* path)
 namespace wsp
 {

+bool
+env::ctor_common(char** e)
+{
+    env_ = static_cast<char**>(malloc((len_ + 1) * sizeof(char*)));
+
+    if (env_)
+    {
+        for (size_t i(0); i < len_; ++i)
+        {
+            assert(e[i]); // caller should make sure about len_
+            env_[i] = strdup(e[i]);
+            if (!env_[i])
+            {
+                errno_ = errno;
+                WSREP_ERROR("Failed to allocate env. var: %s", e[i]);
+                return true;
+            }
+        }
+
+        env_[len_] = NULL;
+        return false;
+    }
+    else
+    {
+        errno_ = errno;
+        WSREP_ERROR("Failed to allocate env. var vector of length: %zu", len_);
+        return true;
+    }
+}
+
+void
+env::dtor()
+{
+    if (env_)
+    {
+        /* don't need to go beyond the first NULL */
+        for (size_t i(0); env_[i] != NULL; ++i) { free(env_[i]); }
+        free(env_);
+        env_ = NULL;
+    }
+    len_ = 0;
+}
+
+env::env(char** e)
+    : len_(0), env_(NULL), errno_(0)
+{
+    if (!e) { e = environ; }
+    /* count the size of the vector */
+    while (e[len_]) { ++len_; }
+
+    if (ctor_common(e)) dtor();
+}
+
+env::env(const env& e)
+    : len_(e.len_), env_(0), errno_(0)
+{
+    if (ctor_common(e.env_)) dtor();
+}
+
+env::~env() { dtor(); }
+
+int
+env::append(const char* val)
+{
+    char** tmp = static_cast<char**>(realloc(env_, (len_ + 2)*sizeof(char*)));
+
+    if (tmp)
+    {
+        env_ = tmp;
+        env_[len_] = strdup(val);
+
+        if (env_[len_])
+        {
+            ++len_;
+            env_[len_] = NULL;
+        }
+    }
+
+    /* if either realloc() or strdup() failed, errno had been set */
+    errno_ = errno;
+
+    return errno_;
+}
+
+
 #define PIPE_READ  0
 #define PIPE_WRITE 1
 #define STDIN_FD   0
@@ -98,7 +183,7 @@ namespace wsp
 # define POSIX_SPAWN_USEVFORK 0
 #endif

-process::process (const char* cmd, const char* type)
+process::process (const char* cmd, const char* type, char** env)
    : str_(cmd ? strdup(cmd) : strdup("")), io_(NULL), err_(EINVAL), pid_(0)
 {
    if (0 == str_)
@@ -120,6 +205,8 @@ process::process (const char* cmd, const char* type)
        return;
    }

+    if (NULL == env) { env = environ; } // default to global environment
+
    int pipe_fds[2] = { -1, };
    if (::pipe(pipe_fds))
    {
@@ -215,7 +302,7 @@ process::process (const char* cmd, const char* type)
        goto cleanup_fact;
    }

-    err_ = posix_spawnp (&pid_, pargv[0], &fact, &attr, pargv, environ);
+    err_ = posix_spawnp (&pid_, pargv[0], &fact, &attr, pargv, env);
    if (err_)
    {
        WSREP_ERROR ("posix_spawnp(%s) failed: %d (%s)",
@@ -309,6 +396,7 @@ process::wait ()
              {
              case 126: err_ = EACCES; break; /* Permission denied */
              case 127: err_ = ENOENT; break; /* No such file or directory */
+              case 143: err_ = EINTR;  break; /* Subprocess killed */
              }
              WSREP_ERROR("Process completed with error: %s: %d (%s)",
                          str_, err_, strerror(err_));

--- a/sql/wsrep_utils.h
+++ b/sql/wsrep_utils.h
@@ -44,6 +44,25 @@ class node_status
 extern wsp::node_status local_status;

 namespace wsp {
+/* a class to manage env vars array */
+class env
+{
+private:
+    size_t len_;
+    char** env_;
+    int    errno_;
+    bool ctor_common(char** e);
+    void dtor();
+    env& operator =(env);
+public:
+    explicit env(char** env);
+    explicit env(const env&);
+    ~env();
+    int append(const char* var); /* add a new env. var */
+    int error() const { return errno_; }
+    char** operator()() { return env_; }
+};
+
 /* A small class to run external programs. */
 class process
 {
@@ -56,8 +75,9 @@ class process
 public:
 /*! @arg type is a pointer to a null-terminated string which  must  contain
         either  the  letter  'r'  for  reading  or the letter 'w' for writing.
+    @arg env optional null-terminated vector of environment variables
 */
-    process  (const char* cmd, const char* type);
+    process  (const char* cmd, const char* type, char** env);
    ~process ();

    FILE* pipe () { return io_;  }
@@ -90,6 +110,8 @@ class string
 {
 public:
    string() : string_(0) {}
+    explicit string(size_t s) : string_(static_cast<char*>(malloc(s))) {}
+    char* operator()() { return string_; }
    void set(char* str) { if (string_) free (string_); string_ = str; }
    ~string() { set (0); }
 private: