maria-developers team mailing list archive
-
maria-developers team
-
Mailing list archive
-
Message #09121
Re: [Commits] 063967b: MDEV-9081 - Debian: insecure debian-sys-maint password handling
Hi, Sergey!
On Dec 21, Sergey Vojtovich wrote:
> revision-id: 063967b1e447f0fc908a1ec0224fd7c1d268bf17 (mariadb-10.1.9-25-g063967b)
> parent(s): 370ab48e9fcf4bc15ffa5e313fc34aa97981a832
> committer: Sergey Vojtovich
> timestamp: 2015-12-21 14:40:41 +0400
> message:
>
> MDEV-9081 - Debian: insecure debian-sys-maint password handling
>
> Set file permission before password is actually written. This is a quick fix
> to close security gap. To be replaced by MDEV-8375 - passwordless root login.
>
> diff --git a/debian/mariadb-server-10.1.postinst b/debian/mariadb-server-10.1.postinst
> index 0f35802..069c25e 100644
> --- a/debian/mariadb-server-10.1.postinst
> +++ b/debian/mariadb-server-10.1.postinst
> @@ -158,6 +158,8 @@ EOF
> pass=`perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)'`;
> if [ ! -d "$mysql_cfgdir" ]; then install -o 0 -g 0 -m 0755 -d $mysql_cfgdir; fi
> cat /dev/null > $dc
> + chown 0:0 $dc
is that needed?
(not that it hurts, but still...)
> + chmod 0600 $dc
ok. what about other issues you've mentioned in this MDEV-9081?
besides, what the plan for moving to unix_socket auth?
> echo "# Automatically generated for Debian scripts. DO NOT TOUCH!" >>$dc
> echo "[client]" >>$dc
> echo "host = localhost" >>$dc
Regards,
Sergei
Chief Architect MariaDB
and security@xxxxxxxxxxx
--
Vote for my Percona Live 2016 talks:
https://www.percona.com/live/data-performance-conference-2016/sessions/mariadb-connectors-fast-and-smart-new-protocol-optimizations#community-voting
https://www.percona.com/live/data-performance-conference-2016/sessions/mariadb-101-security-validation-authentication-encryption#community-voting
Follow ups