[MDEV-28823] mariadb-secure-installation chmod sql output file Created: 2022-06-13  Updated: 2023-03-04

Status: Open
Project: MariaDB Server
Component/s: Scripts & Clients
Affects Version/s: 10.6
Fix Version/s: None

Type: Bug Priority: Major
Reporter: MG Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: beginner-friendly


 Description   

The prepare() function should include $output along with $config and $command

 Comments   
Comment by Anant Verma [ 2022-08-23 ]

I'd like to work on this.

Comment by Anant Verma [ 2022-08-23 ]

To confirm, the prepare function should also create and add permissions to the output file, right?

Comment by MG [ 2022-08-23 ]

Yes, the problem is that the $output file doesn't get the chmod and is world readable while `mariadb-secure-installation` is running.

After launching `mariadb-secure-installation` and hitting <enter> for no password (first question), we can see:

[root@cent7 ~]# ls -la .my* | grep -v .mysql_history
 
-rw-------. 1 root root  70 Aug 23 19:11 .my.cnf.2257
 
-rw-r--r--. 1 root root 130 Aug 23 19:11 .my.output.2257
 
-rw-------. 1 root root  32 Aug 23 19:11 .mysql.2257
 
[root@cent7 ~]# cat .my.output.2257
 
CREATE USER for root@localhost
 
CREATE USER `root`@`localhost` IDENTIFIED VIA mysql_native_password USING 'invalid' OR unix_socket
 
[root@cent7 ~]#

Above, the read bits are less secure for `.my.output.2257` than other files but so far there is no sensitive content in the file.

If we answer no for "Switch to unix_socket authentication [Y/n]" it prompts for "Change the root password? [Y/n]". After answering yes to change the password, there is a moment where the password hash is in the file, eg:

[root@cent7 ~]# tail -F .my.output.2472
 
CREATE USER for root@localhost
 
CREATE USER `root`@`localhost` IDENTIFIED VIA mysql_native_password USING '*F97AEB38B3275C06D822FC9341A2151642C81988' OR unix_socket
 
tail: .my.output.2472: file truncated
 
tail: ‘.my.output.2472’ has become inaccessible: No such file or directory

This isn't a problem for the files $config and $command because the prepare() function calls chmod on them before they are used. It should be safe after doing this for $output in prepare because the file is truncated/written later in `do_query()` but never explicitly rm/create:

    $mysql_command --defaults-file=$config $defaults_extra_file $no_defaults $args <$command >$output

Comment by Debjyoti Ghosh [ 2023-03-04 ]

I am working on this issue.
So, only adding chmod 600 after the output file creation in prepare() function to allow only owner read and write access is the requirement as per my understanding.

Comment by MG [ 2023-03-04 ]

@Debjyoti Three files are defined as variables early in the script:

config=".my.cnf.$$"
 
command=".mysql.$$"
 
output=".my.output.$$"

Later, the prepare() function creates two of these files with the touch command and then improves security of those two files with the chmod command.

The issue here is that $output is not also created in this way, but instead the file first exists when the do_query() function runs and appends to (creates) this file, resulting in file permissions based on the user shell's default umask.

Comment by Debjyoti Ghosh [ 2023-03-04 ]

yes, found it, but i am not able to run the mariadb-secure-installation script.
Even if i make the code change, how can i test this, any idea?

Comment by MG [ 2023-03-04 ]

@Debjyoti

You can install MariaDB on a Unix-like system such as Linux or MacOS:

https://mariadb.com/kb/en/binary-packages/

Afterward, the shell script mysql_secure_installation / mariadb-secure-installation will be available for use as a post-install tool:

https://mariadb.com/kb/en/mysql_secure_installation/

Generated at Thu Feb 08 10:03:45 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.