Anant Verma added a comment - 2022-08-23 18:19 I'd like to work on this.

Anant Verma added a comment - 2022-08-23 18:21 To confirm, the prepare function should also create and add permissions to the output file, right?

MG added a comment - 2022-08-23 19:26 Yes, the problem is that the $output file doesn't get the chmod and is world readable while `mariadb-secure-installation` is running. After launching `mariadb-secure-installation` and hitting <enter> for no password (first question), we can see: [root@cent7 ~]# ls -la .my* | grep -v .mysql_history -rw-------. 1 root root 70 Aug 23 19:11 .my.cnf.2257 -rw-r--r--. 1 root root 130 Aug 23 19:11 .my.output.2257 -rw-------. 1 root root 32 Aug 23 19:11 .mysql.2257 [root@cent7 ~]# cat .my.output.2257 CREATE USER for root@localhost CREATE USER `root`@`localhost` IDENTIFIED VIA mysql_native_password USING 'invalid' OR unix_socket [root@cent7 ~]# Above, the read bits are less secure for `.my.output.2257` than other files but so far there is no sensitive content in the file. If we answer no for "Switch to unix_socket authentication [Y/n] " it prompts for "Change the root password? [Y/n] ". After answering yes to change the password, there is a moment where the password hash is in the file, eg: [root@cent7 ~]# tail -F .my.output.2472 CREATE USER for root@localhost CREATE USER `root`@`localhost` IDENTIFIED VIA mysql_native_password USING '*F97AEB38B3275C06D822FC9341A2151642C81988' OR unix_socket tail: .my.output.2472: file truncated tail: ‘.my.output.2472’ has become inaccessible: No such file or directory This isn't a problem for the files $config and $command because the prepare() function calls chmod on them before they are used. It should be safe after doing this for $output in prepare because the file is truncated/written later in `do_query()` but never explicitly rm/create: $mysql_command --defaults-file=$config $defaults_extra_file $no_defaults $args <$command >$output

Debjyoti Ghosh added a comment - 2023-03-04 06:08 - edited I am working on this issue. So, only adding chmod 600 after the output file creation in prepare() function to allow only owner read and write access is the requirement as per my understanding.

MG added a comment - 2023-03-04 06:30 - edited @Debjyoti Three files are defined as variables early in the script: config=".my.cnf.$$" command=".mysql.$$" output=".my.output.$$" Later, the prepare() function creates two of these files with the touch command and then improves security of those two files with the chmod command. The issue here is that $output is not also created in this way, but instead the file first exists when the do_query() function runs and appends to (creates) this file, resulting in file permissions based on the user shell's default umask .

Debjyoti Ghosh added a comment - 2023-03-04 06:42 - edited yes, found it, but i am not able to run the mariadb-secure-installation script. Even if i make the code change, how can i test this, any idea?

MG added a comment - 2023-03-04 07:07 @Debjyoti You can install MariaDB on a Unix-like system such as Linux or MacOS: https://mariadb.com/kb/en/binary-packages/ Afterward, the shell script mysql_secure_installation / mariadb-secure-installation will be available for use as a post-install tool: https://mariadb.com/kb/en/mysql_secure_installation/