maria-developers team mailing list archive
-
maria-developers team
-
Mailing list archive
-
Message #09125
Re: [Commits] 063967b: MDEV-9081 - Debian: insecure debian-sys-maint password handling
Hi, Sergey!
On Dec 21, Sergey Vojtovich wrote:
> On Mon, Dec 21, 2015 at 01:45:27PM +0100, Sergei Golubchik wrote:
>
> > > > besides, what the plan for moving to unix_socket auth?
> > > Strictly speaking there is no plan. If you're asking for my opinion: I like it.
> > > I'd avoid such massive changes to not very well tested scripts in GA versions.
> > > 10.2 seem to be reasonable target version.
> > >
> > > I could probably do that over the next week, or some time in February/March.
> >
> > my point was - if unix_socket comes soon, why bother fixing these
> > issues? and it not, then "will be solved by unix_socket" is not an
> > excuse we can use.
> I'm fine if we agree to port unix socket to 10.2 and leave previous versions
> unfixed.
Okay, let's do that.
Let's just push the chmod fix, it's the only security-relevant issue in
your MDEV. But now I'm thinking that your fix isn't bullet-proof either,
it makes the window smaller but doesn't eliminate it.
A safe version could be something like
sh -c 'umask 0077 && touch /secret/file'
Regards,
Sergei
Follow ups
References