Uploaded image for project: 'MariaDB ColumnStore'
  1. MariaDB ColumnStore
  2. MCOL-4714

Columnstore cross_engine user can be seen by unprivileged user

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Duplicate
    • Affects Version/s: 5.5.2
    • Fix Version/s: 5.6.1
    • Component/s: installation
    • Labels:
    • Environment:
      Ubuntu 18.04, n.a.
      $ mysqld --version
      mysqld Ver 10.5.10-MariaDB-1:10.5.10+maria~bionic for debian-linux-gnu on x86_64 (mariadb.org binary distribution)

      Description

      An unprivileged user can see the cross_engine user's password:

      oli@ubuntu1804:~$ mcsGetConfig -v -a | grep Cross
      CrossEngineSupport.Host = 127.0.0.1
      CrossEngineSupport.Port = 3306
      CrossEngineSupport.User = cross_engine
      CrossEngineSupport.Password = secret

      oli@ubuntu1804:~$ ll /etc/columnstore/Columnstore.xml
      rw-rr- 1 root root 19169 May 11 11:17 /etc/columnstore/Columnstore.xml

      oli@ubuntu1804:~$ grep Password /etc/columnstore/Columnstore.xml
      <Password>secret</Password>

      The reason for this seems to be the sticky bit on the directory columnstore:

      $ ll -d c*
      drwxr-xr-x 2 root root 4096 Jul 12 2018 calendar/
      drwxr-xr-t 2 mysql mysql 4096 May 11 11:17 columnstore/
      drwxr-xr-x 2 root root 4096 Dec 15 2019 console-setup/

      $ file columnstore
      columnstore: sticky, directory

      and for others readable files:

      root@ubuntu1804:/etc/columnstore# ll
      rw-rr- 1 root root 19169 May 11 11:17 Columnstore.xml
      rw-rr- 1 mysql mysql 19145 May 11 10:12 Columnstore.xml-20210511
      rw-rw-rw 1 root root 19153 May 11 11:17 Columnstore.xml.columnstoreSave
      rw-rr- 1 mysql mysql 15372 May 5 23:00 ErrorMessage.txt
      rw-rr- 1 mysql mysql 5619 May 5 23:00 MessageFile.txt
      rw-rr- 1 mysql mysql 7456 May 5 23:03 storagemanager.cnf

      After removing privileges on those files:

      root@ubuntu1804:/etc/columnstore# chmod o-rw *

      it looks a bit better. But logging in a non privileged user throws and error not seen before:

      root@ubuntu1804:/etc/columnstore# su - oli
      grep: /etc/columnstore/cmapi_server.conf: No such file or directory

      oli@ubuntu1804:~$ grep secret /etc/columnstore/Columnstore.xml
      grep: /etc/columnstore/Columnstore.xml: Permission denied

      oli@ubuntu1804:~$ ll /etc/columnstore/Columnstore.xml
      rw-r---- 1 root root 19169 May 11 11:17 /etc/columnstore/Columnstore.xml

      oli@ubuntu1804:~$ mcsGetConfig -v -a
      oli@ubuntu1804:~$ echo $?
      0

      Possibly I would expect an error here???

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              oli Oli Sennhauser
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Git Integration