[Nagiosplug-devel] [ nagiosplug-Bugs-2531905 ] check_mysql does not properly handle passwords in from file.

SourceForge.net noreply at sourceforge.net
Wed Feb 11 14:28:50 CET 2009

Bugs item #2531905, was opened at 2009-01-23 18:13
Message generated for change (Comment added) made by btimby
You can respond by visiting: 

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Argument proccessing
Group: Release (specify)
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Ben Timby (btimby)
Assigned to: Nobody/Anonymous (nobody)
Summary: check_mysql does not properly handle passwords in from file.

Initial Comment:
The mysql client can use a password from a configuration file. This feature is nice as it keeps the password off of the command line.

The check_mysql function does not allow for this. Even though the program informs you via a warning that passing the password on the command line is insecure. It does not allow for the best alternative.

According to mysql, the mysql_connect() and mysql_real_connect() both allow a value of NULL to be given for the password.


In this case, if a password was read from the option file, it will be used for authentication. The constant "" is used in the case of NO password.

Right now, check_mysql, in the validate_arguments() function sets the value of db_pass to "" if it was not provided on the command line. This prevents the password configured in the option file from being used.

# vi $HOME/.my.cnf
# ./check_mysql
Access denied for user 'root'@'localhost' (using password: NO)

The attached patch remedies this. It uses the same method as the mysql client to determine if NULL or "" should be used.

If -p is provided, without a value, then "" is used. If -p is omitted, then NULL is used. If -p is provided WITH a password, that password is used.


>Comment By: Ben Timby (btimby)
Date: 2009-02-11 08:28

Hopefully that last post clears up your questions, if not here is a short

While the check_mysql plugin always called mysql_options(), it also always
set db_pass to "". This caused the password from the file to be ignored as
the password was explicitly set to "".

To counteract this, I modified the source so that if the -p parameter is
omitted, then db_pass is left as NULL. If the -p parameter is provided, but
no password is provided, then db_pass is set to "" (like before). If a
password is provided as an argument to -p, then that value is copied to


Comment By: Ben Timby (btimby)
Date: 2009-02-11 08:22

dermoth, I think you read the patch wrong. The last hunk REMOVES the
setting of db_pass to null when it is ''. That was basically the whole
problem :-).

@@ -361,9 +365,6 @@
 	if (db_host == NULL)
 		db_host = strdup("");
-	if (db_pass == NULL)
-		db_pass = strdup("");
 	if (db == NULL)
 		db = strdup("");

The difference between '', NULL and <password> is explained at the link I
sent in my original bug report:


I reproduce the relevant part below...

 For some parameters, it is possible to have the value taken from an
option file rather than from an explicit value in the mysql_real_connect()
call. To do this, call mysql_options() with the MYSQL_READ_DEFAULT_FILE or
MYSQL_READ_DEFAULT_GROUP option before calling mysql_real_connect(). Then,
in the mysql_real_connect() call, specify the “no-value” value for each
parameter to be read from an option file:

    *  For passwd, specify a value of NULL. (For the password, a value of
the empty string in the mysql_real_connect() call cannot be overridden in
an option file, because the empty string indicates explicitly that the
MySQL account must have an empty password.)


Comment By: Thomas Guyot-Sionnest (dermoth)
Date: 2009-01-23 19:03

Thanks for your patch. There's one thing though that I don't understand,
since it already sets db_pass to "" when null (last hunk of your patch does
it), why do you need to do this using -p?

Can you explain the difference between db_pass=NULL, ="" and =<password>,
or point me to the right place in the libmysql documentation?

You should also be aware that you can also use the extra-opts feature to
use a file for the password argument (you need to enable it with configure;
I know some packages enable it by default), although I highly suggest to
use the latest snapshot until the 1.4.14 release as there have been some
important fixes since 1.4.13.


You can respond by visiting: 

More information about the Devel mailing list