Mattermost Backup: Mysql Dump warning

Hi,

i activated the email alias for the root user of my ucs system. since then i am getting every day an email from the system with the following content:

/etc/cron.daily/mattermost-backup:
mysqldump: [Warning] Using a password on the command line interface can be insecure.

The reason seems to be that the password is hardcoded in the script file instead of reading it from e.g. ucr on the fly.
Would be great if this potential vulnerability could be fixed. I am unsure if i can just modify the script locally at my system, i assume it would be overwritten with the next update.

Kind Regards,

Tobias Lorentz

Hi @tobiaslorentz,

there is indeed a password hard coded in the backup cron. you can find the code creating this file at https://stash.z-hub.io/projects/K4U/repos/mattermost/browse/inst#183-195. As you can see there it is even a static password for all installations.

In my opinion this is less of a problem since the database server is part of the app and only reachable from inside of the app.

PS: reading the actual password on the fly from the ucr does not make it inherently more secure. after all the contents of the registry are also stored in plain text on the file system and said file is globally readable.

Hi @fbartels,

thanks for the explanation. I think then it isn’t really a security issue, but it is still annoying to get every day a warning via email. Can’t this warning be suppressed?

Kind Regards,

Tobias Lorentz

it probably sends an email since there was output generated by the cron job. so you could just redirect output to /dev/null. but that could also hide real errors.

The general better way would be to add an options file to the root user and store the password in there. see https://dev.mysql.com/doc/refman/8.0/en/password-security-user.html

If you want to work on this and provide a pull request I’ll see to get this reviewed and the Mattermost updated on the app center.

1 Like