From cb66c67fe206dbcfd8969d7160a63f23e2b4e779 Mon Sep 17 00:00:00 2001 From: Sveta Smirnova Date: Fri, 16 Jan 2026 16:38:26 +0300 Subject: [PATCH] PT-23 - ps files in pt-stalk samples disclose MySQL password - Added password-related warnings into the documentation --- bin/pt-stalk | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/bin/pt-stalk b/bin/pt-stalk index aa9a53b2..7cd898ed 100755 --- a/bin/pt-stalk +++ b/bin/pt-stalk @@ -1848,8 +1848,7 @@ if [ "${0##*/}" = "$TOOL" ] \ EXT_ARGV="$(arrange_mysql_options "$EXT_ARGV $MYSQL_ARGS")" # Test if MySQL password provided on command line; warn if so. - # Matches: --password=VALUE or -pVALUE (short form with no space) - if [ -n "$OPT_PASSWORD" ] || $(echo "$EXT_ARGV" | grep -qP "(--password=.+?)|(^|\s)-p[^\s-]+(\s|$)"); then + if [ -n "$OPT_PASSWORD" ] || $(echo "$EXT_ARGV" | grep -qP "(\-\-password=)|((^|\s)+\-p[^\s]+)"); then log 'Providing MySQL password on the command line interface is insecure. It will be visible in the operating system process list and stored in the collected output of the ps command. Consider using a configuration file or the --ask-pass option instead.'; fi @@ -1948,6 +1947,8 @@ server. Before using this tool, please: =item * Backup your production server and verify the backups +=item * Do NOT provide the MySQL password on the command line with the L<"--password"> option. MySQL passwords provided on the command line are visible to all users on the system and are stored in the collected output of the C<"ps"> command. Use a MySQL option file or the L<"--ask-pass"> option instead. + =back =head1 DESCRIPTION @@ -2274,6 +2275,10 @@ short form: -p; type: string Password to use when connecting. If password contains commas they must be escaped with a backslash: "exam\,ple" +B: Providing the password on the command line is insecure. The password will +be visible to all users on the system and will be stored in the collected output of +the C<"ps"> command. Use a MySQL option file or the L<"--ask-pass"> option instead. + =item --pid type: string; default: /var/run/pt-stalk.pid