[issue] entrypoint script does not escape password properly #183
Comments
|
We don't escape any password characters since we didn't want to implement the equivalent of |
|
@yosifkit Then the fact passwords won't be escaped (and have to be chosen appropriately) should be documented on the Docker Hub page. |
|
This is essentially a duplicate of docker-library/mysql#338. @ltangvald what're your thoughts? For |
|
I think printf %q should be enough, actually: https://github.com/mysql/mysql-server/blob/8.0/packaging/deb-in/mysql-packagesource-server.postinst.in#L86 |
This escapes certain symbols that don't need to be escaped in MySQL, such as $, but MySQL handles that, so if the root password is set to 'mypa$s', printf %q will output 'mypa\$s', but the password will still be stored as 'mypa$s' |
|
So, I don't think that'll work properly given that it outputs $ printf '%q\n' "$(echo -e 'a \r b \n c \\ d '\'' e " f \x1a g')"
$'a \r b \n c \\ d \' e " f \032 g'(Which I don't think is valid in MySQL, right?) |
|
Does that work in postgres? i.e. setting the password to "$(echo -e 'a \r b \n c \ d ''' e " f \x1a g')" |
|
I got postgres to set the password without complaint but I can't get psql to authenticate using it in $ docker run -d -e POSTGRES_PASSWORD="$(echo -e 'a b \n c \\ d '\'' e " f \x1a g')" postgres:10 |
|
Right, the same happens with our deb packages (that use printf %q). I'm not sure we should try to support everything, but random password generators often output some special characters that need escaping. |
|
Actually escaping isn't that bad. Only \ and ' need to be quoted and ensure the session (unlike my lazy test) SQL_MODE doesn't include NO_BACKSLASH_ESCAPES. ref: https://mariadb.com/kb/en/string-literals/ #!/bin/bash
set -eo pipefail
shopt -s nullglob
m="$HOME/repos/build-mariadb-server-10.5/client/mariadb -S /tmp/build-mariadb-server-10.5.sock"
$m -e "SET GLOBAL SQL_MODE = REPLACE(@@SQL_MODE, 'NO_BACKSLASH_ESCAPES', '');"
while [ 1 ]
do
REAL_PASSWORD=$(pwgen --numerals --capitalize --symbols --secure 32 1)
#read -r -d '' -N 30 REAL_PASSWORD < /dev/urandom
# SQL escaping \
p=${REAL_PASSWORD//\\/\\\\}
# SQL escaping '
MARIADB_ROOT_PASSWORD=${p//\'/\\\'}
$m <<- EOSQL || true
SET PASSWORD FOR 'root'@'localhost' = PASSWORD('${MARIADB_ROOT_PASSWORD}');
EOSQL
echo "pass=${MARIADB_ROOT_PASSWORD}"
$m -u root -p"${REAL_PASSWORD}" -Be 'select 1' > /dev/null
done
This cover all the pwgen characters that I saw after a while. Using /dev/urandom (the commented line) does however fail eventually on some character(s?) that I haven't got around to identifying (might even be a bug) - If this is introduced now is this going to throw compatibility problems pre-escaping their password? As a safe route, since no release has been done with 8e0175f I could start escaping the Any objection or other factors I should consider? |
|
Improved script. To use:
If I remove ' --binary-mode' an issue happens within about a minute. Otherwise, it happily keeps running. |
|
Also adding a write-to-file script for long runs. |
|
An overnight run did not locate any issues using the script from my last comment. |
To correctly SQL escape passwords, escaping \ first is required. Then we need to escape ' in the password to prevent it being treated as a end of SQL statement quote. All escaping needs to use \, so we cannot be in NO_BACKSLASH_ESCAPES sql_mode otherwise no escaping will work. As an added complication when using the config file within the entrypoint, for waiting until MariaDB can initialize, a password mechanism a different escaping applies (https://mariadb.com/kb/en/configuring-mariadb-with-option-files/). The printf %q is close, however it provides a much richer escape of non-printable characters than what can be read in the configuration file. As such the password complexity of the root password is limited to escaping \n, \r, \t, \b, \s, \", \', and \\ while for a user MARIADB_PASSWORD anything, including positively crazy strings such as \0 will work. Closes MariaDB#183
|
Thanks for testing @mariadb-RoelVandePaar. For our users #356, contains what has passed my testing so far. If you'd like to test this and provide feedback this would be most useful. |
To correctly SQL escape passwords, escaping \ first is required. Then we need to escape ' in the password to prevent it being treated as a end of SQL statement quote. All escaping needs to use \, so we cannot be in NO_BACKSLASH_ESCAPES sql_mode otherwise no escaping will work. Getting bash to escape the root password for its internal uses and in a form that was recognized by MariaDB reading the configuration file was becoming exceptionally complicated, and unsuccessful. As such we use the MYSQL_PWD environment variable to contain the password when needed. Occasionally the socket wasn't ready on a clean install by the time docker_process_sql was called so allow up to 5 seconds just in case. example logs of this: 2021-03-16 00:41:21+00:00 [Note] [Entrypoint]: Waiting for server startup 2021-03-16 0:41:21 140680894076608 [Note] mysqld (mysqld 10.2.37-MariaDB-1:10.2.37+maria~bionic) starting as process 111 ... 2021-03-16 00:41:21+00:00 [Note] [Entrypoint]: Temporary server started. 2021-03-16 0:41:21 140680894076608 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins 2021-03-16 0:41:21 140680894076608 [Note] InnoDB: Uses event mutexes 2021-03-16 0:41:21 140680894076608 [Note] InnoDB: Compressed tables use zlib 1.2.11 2021-03-16 0:41:21 140680894076608 [Note] InnoDB: Using Linux native AIO 2021-03-16 0:41:21 140680894076608 [Note] InnoDB: Number of pools: 1 2021-03-16 0:41:21 140680894076608 [Note] InnoDB: Using SSE2 crc32 instructions ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) Closes MariaDB#183
To correctly SQL escape passwords, escaping \ first is required. Then we need to escape ' in the password to prevent it being treated as a end of SQL statement quote. All escaping needs to use \, so we cannot be in NO_BACKSLASH_ESCAPES sql_mode otherwise no escaping will work. Getting bash to escape the root password for its internal uses and in a form that was recognized by MariaDB reading the configuration file was becoming exceptionally complicated, and unsuccessful. As such we use the MYSQL_PWD environment variable to contain the password when needed. Occasionally the socket wasn't ready on a clean install by the time docker_process_sql was called so allow up to 5 seconds just in case. example logs of this: 2021-03-16 00:41:21+00:00 [Note] [Entrypoint]: Waiting for server startup 2021-03-16 0:41:21 140680894076608 [Note] mysqld (mysqld 10.2.37-MariaDB-1:10.2.37+maria~bionic) starting as process 111 ... 2021-03-16 00:41:21+00:00 [Note] [Entrypoint]: Temporary server started. 2021-03-16 0:41:21 140680894076608 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins 2021-03-16 0:41:21 140680894076608 [Note] InnoDB: Uses event mutexes 2021-03-16 0:41:21 140680894076608 [Note] InnoDB: Compressed tables use zlib 1.2.11 2021-03-16 0:41:21 140680894076608 [Note] InnoDB: Using Linux native AIO 2021-03-16 0:41:21 140680894076608 [Note] InnoDB: Number of pools: 1 2021-03-16 0:41:21 140680894076608 [Note] InnoDB: Using SSE2 crc32 instructions ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) Closes #183
Description
I've generated my password for
MYSQL_ROOT_PASSWORDenv var with keepass with all character ranges enabled. The container exits withFull log
where
'Oe(]xI=<&(was part of myMYSQL_ROOT_PASSWORD.Steps to reproduce
Run
sudo docker run --rm -e "MYSQL_ROOT_PASSWORD='Oe(]xI=<&(" mariadb:10.3.8@sha256:f2085c2176ba6294cf73033b344a420faa2ddae1b97b6795c101552e86284ba3The text was updated successfully, but these errors were encountered: