[MCOL-4714] Columnstore cross_engine user can be seen by unprivileged user Created: 2021-05-11  Updated: 2021-05-13  Resolved: 2021-05-13

Status: Closed
Project: MariaDB ColumnStore
Component/s: installation
Affects Version/s: 5.5.2
Fix Version/s: 5.6.1

Type: Bug Priority: Critical
Reporter: Oli Sennhauser Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: packaging
Environment:

Ubuntu 18.04, n.a.
$ mysqld --version
mysqld Ver 10.5.10-MariaDB-1:10.5.10+maria~bionic for debian-linux-gnu on x86_64 (mariadb.org binary distribution)

Issue Links:
Duplicate
duplicates MCOL-1175 CrossEngineSupport stores pw in free ... Closed

 Description   

An unprivileged user can see the cross_engine user's password:

oli@ubuntu1804:~$ mcsGetConfig -v -a | grep Cross
CrossEngineSupport.Host = 127.0.0.1
CrossEngineSupport.Port = 3306
CrossEngineSupport.User = cross_engine
CrossEngineSupport.Password = secret

oli@ubuntu1804:~$ ll /etc/columnstore/Columnstore.xml
rw-rr- 1 root root 19169 May 11 11:17 /etc/columnstore/Columnstore.xml

oli@ubuntu1804:~$ grep Password /etc/columnstore/Columnstore.xml
<Password>secret</Password>

The reason for this seems to be the sticky bit on the directory columnstore:

$ ll -d c*
drwxr-xr-x 2 root root 4096 Jul 12 2018 calendar/
drwxr-xr-t 2 mysql mysql 4096 May 11 11:17 columnstore/
drwxr-xr-x 2 root root 4096 Dec 15 2019 console-setup/

$ file columnstore
columnstore: sticky, directory

and for others readable files:

root@ubuntu1804:/etc/columnstore# ll
rw-rr- 1 root root 19169 May 11 11:17 Columnstore.xml
rw-rr- 1 mysql mysql 19145 May 11 10:12 Columnstore.xml-20210511
rw-rw-rw 1 root root 19153 May 11 11:17 Columnstore.xml.columnstoreSave
rw-rr- 1 mysql mysql 15372 May 5 23:00 ErrorMessage.txt
rw-rr- 1 mysql mysql 5619 May 5 23:00 MessageFile.txt
rw-rr- 1 mysql mysql 7456 May 5 23:03 storagemanager.cnf

After removing privileges on those files:

root@ubuntu1804:/etc/columnstore# chmod o-rw *

it looks a bit better. But logging in a non privileged user throws and error not seen before:

root@ubuntu1804:/etc/columnstore# su - oli
grep: /etc/columnstore/cmapi_server.conf: No such file or directory

oli@ubuntu1804:~$ grep secret /etc/columnstore/Columnstore.xml
grep: /etc/columnstore/Columnstore.xml: Permission denied

oli@ubuntu1804:~$ ll /etc/columnstore/Columnstore.xml
rw-r---- 1 root root 19169 May 11 11:17 /etc/columnstore/Columnstore.xml

oli@ubuntu1804:~$ mcsGetConfig -v -a
oli@ubuntu1804:~$ echo $?
0

Possibly I would expect an error here???

 Comments   
Comment by Oli Sennhauser [ 2021-05-11 ]

Found first impact:

MariaDB [test]> CREATE TABLE test (
-> id INT UNSIGNED NOT NULL
-> , data VARCHAR(128) DEFAULT NULL
-> , ts TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP
-> ) ENGINE = ColumnStore
-> ;
ERROR 1815 (HY000): Internal error: Config::Config: error accessing config file /etc/columnstore/Columnstore.xml

Comment by Oli Sennhauser [ 2021-05-11 ]

With a:
root@ubuntu1804:/etc/columnstore# chown mysql: *
it seems to work.

Generated at Thu Feb 08 02:52:25 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.