Package: automysqlbackup Version: 2.6+debian.4-4
Severity: important Tags: patch, securityCurrently there are two options to provide DB username/password from automysqlbackup to mysql tools (mysqldump etc). One can either pass USER and PASSWORS via CLI parameters, or use --defaults-file, which is hard-coded to '/etc/mysql/debian.cnf' in automysqlbackup.
The first approach (CLI params) is considered insecure, as the password gets exposed to other users via process list. The second approach is acceptable, but has a flaw that the /etc/mysql/debian.cnf path is a hard-coded in automysqlbackup and the /etc/mysql/debian.cnf is now OBSOLETE and will be removed in future Debian versions. Also, using /etc/mysql/debian.cnf, we admit to use same username/password possibly shared with other tools that also use the /etc/mysql/debian.cnf file.
I'd like to propose a patch to automysqlbackup that allows using custom --defaults-file. The file name may be provided via /etc/default/automysqlbackup. There is a pull request on salsa.debian.org providing this custom --defaults-file functionality: https://salsa.debian.org/zigo/automysqlbackup/-/merge_requests/2
Best regards! -- Paweł Tomulik
OpenPGP_0x78E4E39203D6F75E.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
