maria-developers team mailing list archive

[Sergey Vojtovich <svoj@xxxxxxxxxxx>]

Hi Sergei,

On Mon, Dec 21, 2015 at 12:50:05PM +0100, Sergei Golubchik wrote:
> Hi, Sergey!
> 
> On Dec 21, Sergey Vojtovich wrote:
> > revision-id: 063967b1e447f0fc908a1ec0224fd7c1d268bf17 (mariadb-10.1.9-25-g063967b)
> > parent(s): 370ab48e9fcf4bc15ffa5e313fc34aa97981a832
> > committer: Sergey Vojtovich
> > timestamp: 2015-12-21 14:40:41 +0400
> > message:
> > 
> > MDEV-9081 - Debian: insecure debian-sys-maint password handling
> > 
> > Set file permission before password is actually written. This is a quick fix
> > to close security gap. To be replaced by MDEV-8375 - passwordless root login.
> > 
> > diff --git a/debian/mariadb-server-10.1.postinst b/debian/mariadb-server-10.1.postinst
> > index 0f35802..069c25e 100644
> > --- a/debian/mariadb-server-10.1.postinst
> > +++ b/debian/mariadb-server-10.1.postinst
> > @@ -158,6 +158,8 @@ EOF
> >  	pass=`perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)'`;
> >          if [ ! -d "$mysql_cfgdir" ]; then install -o 0 -g 0 -m 0755 -d $mysql_cfgdir; fi
> >          cat /dev/null > $dc
> > +        chown 0:0 $dc
> 
> is that needed?
> (not that it hurts, but still...)
Not needed because this script is always executed by root? Not sure, I just
copied this from a few lines below.

> 
> > +        chmod 0600 $dc
> 
> ok. what about other issues you've mentioned in this MDEV-9081?
echo, while it has bad reputation seem to be more or less alright. At least I
couldn't intercept it.

REPLACE is not solved, but will be solved by unix_socket auth.

> besides, what the plan for moving to unix_socket auth?
Strictly speaking there is no plan. If you're asking for my opinion: I like it.
I'd avoid such massive changes to not very well tested scripts in GA versions.
10.2 seem to be reasonable target version.

I could probably do that over the next week, or some time in February/March.

Thanks,
Sergey