[Nagiosplug-devel] [ nagiosplug-Bugs-2531905 ] check_mysql does not properly handle passwords in from file.

SourceForge.net noreply at sourceforge.net
Sat Jan 24 01:03:45 CET 2009

Bugs item #2531905, was opened at 2009-01-23 18:13
Message generated for change (Comment added) made by dermoth
You can respond by visiting: 

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Argument proccessing
Group: Release (specify)
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Ben Timby (btimby)
Assigned to: Nobody/Anonymous (nobody)
Summary: check_mysql does not properly handle passwords in from file.

Initial Comment:
The mysql client can use a password from a configuration file. This feature is nice as it keeps the password off of the command line.

The check_mysql function does not allow for this. Even though the program informs you via a warning that passing the password on the command line is insecure. It does not allow for the best alternative.

According to mysql, the mysql_connect() and mysql_real_connect() both allow a value of NULL to be given for the password.


In this case, if a password was read from the option file, it will be used for authentication. The constant "" is used in the case of NO password.

Right now, check_mysql, in the validate_arguments() function sets the value of db_pass to "" if it was not provided on the command line. This prevents the password configured in the option file from being used.

# vi $HOME/.my.cnf
# ./check_mysql
Access denied for user 'root'@'localhost' (using password: NO)

The attached patch remedies this. It uses the same method as the mysql client to determine if NULL or "" should be used.

If -p is provided, without a value, then "" is used. If -p is omitted, then NULL is used. If -p is provided WITH a password, that password is used.


>Comment By: Thomas Guyot-Sionnest (dermoth)
Date: 2009-01-23 19:03

Thanks for your patch. There's one thing though that I don't understand,
since it already sets db_pass to "" when null (last hunk of your patch does
it), why do you need to do this using -p?

Can you explain the difference between db_pass=NULL, ="" and =<password>,
or point me to the right place in the libmysql documentation?

You should also be aware that you can also use the extra-opts feature to
use a file for the password argument (you need to enable it with configure;
I know some packages enable it by default), although I highly suggest to
use the latest snapshot until the 1.4.14 release as there have been some
important fixes since 1.4.13.


You can respond by visiting: 

More information about the Devel mailing list