Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
5.5, 10.0, 10.1
-
None
-
10.1.10
Description
There's this code in debian/mariadb-server-10.1.postinst script:
dc=$mysql_cfgdir/debian.cnf;
|
if [ -e "$dc" -a -n "`fgrep mysql_upgrade $dc 2>/dev/null`" ]; then
|
pass="`sed -n 's/^[ ]*password *= *// p' $dc | head -n 1`"
|
else
|
pass=`perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)'`;
|
if [ ! -d "$mysql_cfgdir" ]; then install -o 0 -g 0 -m 0755 -d $mysql_cfgdir; fi
|
cat /dev/null > $dc
|
echo "# Automatically generated for Debian scripts. DO NOT TOUCH!" >>$dc
|
echo "[client]" >>$dc
|
echo "host = localhost" >>$dc
|
echo "user = debian-sys-maint" >>$dc
|
echo "password = $pass" >>$dc
|
echo "socket = $mysql_rundir/mysqld.sock" >>$dc
|
echo "[mysql_upgrade]" >>$dc
|
echo "host = localhost" >>$dc
|
echo "user = debian-sys-maint" >>$dc
|
echo "password = $pass" >>$dc
|
echo "socket = $mysql_rundir/mysqld.sock" >>$dc
|
echo "basedir = /usr" >>$dc
|
fi
|
# If this dir chmod go+w then the admin did it. But this file should not.
|
chown 0:0 $dc
|
chmod 0600 $dc
|
|
|
replace_query=`/bin/echo -e \
|
"USE mysql;\n" \
|
"SET sql_mode='';\n" \
|
"REPLACE INTO user SET " \
|
" host='localhost', user='debian-sys-maint', password=password('$pass'), " \
|
" Select_priv='Y', Insert_priv='Y', Update_priv='Y', Delete_priv='Y', " \
|
" Create_priv='Y', Drop_priv='Y', Reload_priv='Y', Shutdown_priv='Y', " \
|
" Process_priv='Y', File_priv='Y', Grant_priv='Y', References_priv='Y', " \
|
" Index_priv='Y', Alter_priv='Y', Super_priv='Y', Show_db_priv='Y', "\
|
" Create_tmp_table_priv='Y', Lock_tables_priv='Y', Execute_priv='Y', "\
|
" Repl_slave_priv='Y', Repl_client_priv='Y', Create_view_priv='Y', "\
|
" Show_view_priv='Y', Create_routine_priv='Y', Alter_routine_priv='Y', "\
|
" Create_user_priv='Y', Event_priv='Y', Trigger_priv='Y',"\
|
" ssl_cipher='', x509_issuer='', x509_subject='';"`;
|
|
|
db_get mysql-server/root_password && rootpw="$RET"
|
if ! set_mysql_rootpw; then
|
password_error="yes"
|
fi
|
|
|
set +e
|
echo "$replace_query" | $MYSQL_BOOTSTRAP 2>&1 | $ERR_LOGGER
|
set -e
|
On initial installation it creates world-readable /etc/mysql/debian.cnf, writes a password and then revokes privileges. This makes little theoretical gap when attacker may intercept debian-sys-maint password.
Also password goes via a number of echo calls. It might be alright since echo is bash builtin. But echo has rather poor reputation as a tool for handling passwords.
In addition to that REPLACE statement against mysqld --bootstrap is used to update password:
- it bypasses password validation plugins
- it bypasses audit plugins
- it increases installation time (it has to run rather heavy mysqld)
- as well as it increases mysqld downtime
- it may fail if database has some plugin specific configs (see
MDEV-8437)
