[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-hackers] Cron <address@hidden> sf_www --user root --passwo
|
From: |
Mark H. Weaver |
|
Subject: |
Re: [Savannah-hackers] Cron <address@hidden> sf_www --user root --password ????? |
|
Date: |
27 Feb 2001 00:32:10 -0500 |
|
User-agent: |
Gnus/5.09 (Gnus v5.9.0) Emacs/21.0.97 |
Hugo Gayosso <address@hidden> writes:
> Sending a password as the subject of an email can be dangerous :)
>
> Messages from this list are being archived and public, I have changed
> that to be private.
>
> (I replaced the password with ?????)
>
> Both lines at: `/etc/cron.d/savannah' have this same "feature", and
> both matches password with root, so that sounds even more dangerous.
Okay, I looked into it, and that was apparently not root's login
password, it was just the mysql password, or at least I'm not able to
su using it.
For now, I changed /etc/cron.d/savannah to run scripts with no
parameters. These scripts are readable only by root, and they contain
the password. This will at least prevent the password from going out in
email, but it will still be in the command line.
That password is being passed to the mysql command line. I know next to
nothing about mysql, but based on the output of "mysql --help", it looks
at though the password must either be given via a command line or else it
is read from the tty. Perhaps the password could just be piped into it,
or perhaps we need to use something more fancy like expect(1).
In the meantime, could someone please change root's mysql password to
something else, since the old one is now sitting on a bunch of
people's hard drives by now? Once you've done that, please change the
scripts in /subversions/sourceforge/bin/*_daily appropriately, and there
are probably other places that need to changed as well.
Mark
Re: [Savannah-hackers] Cron <address@hidden> sf_www --user root --password ?????, Loic Dachary, 2001/02/27