← Back to team overview

maria-developers team mailing list archive

Re: [Commits] 063967b: MDEV-9081 - Debian: insecure debian-sys-maint password handling

 

Hi, Sergey!

On Dec 21, Sergey Vojtovich wrote:
> On Mon, Dec 21, 2015 at 01:45:27PM +0100, Sergei Golubchik wrote:
> 
> > > > besides, what the plan for moving to unix_socket auth?
> > > Strictly speaking there is no plan. If you're asking for my opinion: I like it.
> > > I'd avoid such massive changes to not very well tested scripts in GA versions.
> > > 10.2 seem to be reasonable target version.
> > > 
> > > I could probably do that over the next week, or some time in February/March.
> > 
> > my point was - if unix_socket comes soon, why bother fixing these
> > issues? and it not, then "will be solved by unix_socket" is not an
> > excuse we can use.
> I'm fine if we agree to port unix socket to 10.2 and leave previous versions
> unfixed.

Okay, let's do that.

Let's just push the chmod fix, it's the only security-relevant issue in
your MDEV. But now I'm thinking that your fix isn't bullet-proof either,
it makes the window smaller but doesn't eliminate it.

A safe version could be something like

   sh -c 'umask 0077 && touch /secret/file'

Regards,
Sergei


Follow ups

References