[MDEV-9081] Debian: insecure debian-sys-maint password handling Created: 2015-11-04  Updated: 2015-12-22  Resolved: 2015-12-22

Status: Closed
Project: MariaDB Server
Component/s: Packaging, Platform Debian
Affects Version/s: 5.5, 10.0, 10.1
Fix Version/s: 10.1.10

Type: Bug Priority: Major
Reporter: Sergey Vojtovich Assignee: Sergey Vojtovich
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-8375 Debian: Passwordless mysqld root logi... Closed
relates to MDEV-8437 plugin variables conflict with bootst... Closed
Sprint: 10.1.10

 Description   

There's this code in debian/mariadb-server-10.1.postinst script:

    dc=$mysql_cfgdir/debian.cnf;
 
    if [ -e "$dc" -a -n "`fgrep mysql_upgrade $dc 2>/dev/null`" ]; then
 
        pass="`sed -n 's/^[     ]*password *= *// p' $dc | head -n 1`"
 
    else
 
        pass=`perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)'`;
 
        if [ ! -d "$mysql_cfgdir" ]; then install -o 0 -g 0 -m 0755 -d $mysql_cfgdir; fi
 
        cat /dev/null > $dc
 
        echo "# Automatically generated for Debian scripts. DO NOT TOUCH!" >>$dc
 
        echo "[client]"                                                    >>$dc
 
        echo "host     = localhost"                                        >>$dc
 
        echo "user     = debian-sys-maint"                                 >>$dc
 
        echo "password = $pass"                                            >>$dc
 
        echo "socket   = $mysql_rundir/mysqld.sock"                        >>$dc
 
        echo "[mysql_upgrade]"                                             >>$dc
 
        echo "host     = localhost"                                        >>$dc
 
        echo "user     = debian-sys-maint"                                 >>$dc
 
        echo "password = $pass"                                            >>$dc
 
        echo "socket   = $mysql_rundir/mysqld.sock"                        >>$dc
 
        echo "basedir  = /usr"                                             >>$dc
 
    fi
 
    # If this dir chmod go+w then the admin did it. But this file should not.
 
    chown 0:0 $dc
 
    chmod 0600 $dc
 
 
 
    replace_query=`/bin/echo -e \
 
        "USE mysql;\n" \
 
        "SET sql_mode='';\n" \
 
        "REPLACE INTO user SET " \
 
        "  host='localhost', user='debian-sys-maint', password=password('$pass'), " \
 
        "  Select_priv='Y', Insert_priv='Y', Update_priv='Y', Delete_priv='Y', " \
 
        "  Create_priv='Y', Drop_priv='Y', Reload_priv='Y', Shutdown_priv='Y', " \
 
        "  Process_priv='Y',  File_priv='Y', Grant_priv='Y', References_priv='Y', " \
 
        "  Index_priv='Y', Alter_priv='Y', Super_priv='Y', Show_db_priv='Y', "\
 
        "  Create_tmp_table_priv='Y', Lock_tables_priv='Y', Execute_priv='Y', "\
 
        "  Repl_slave_priv='Y', Repl_client_priv='Y', Create_view_priv='Y', "\
 
        "  Show_view_priv='Y', Create_routine_priv='Y', Alter_routine_priv='Y', "\
 
        "  Create_user_priv='Y', Event_priv='Y', Trigger_priv='Y',"\
 
        "  ssl_cipher='', x509_issuer='', x509_subject='';"`;
 
 
 
    db_get mysql-server/root_password && rootpw="$RET"
 
    if ! set_mysql_rootpw; then
 
        password_error="yes"
 
    fi
 
 
 
    set +e
 
    echo "$replace_query"                                    | $MYSQL_BOOTSTRAP 2>&1 | $ERR_LOGGER
 
    set -e

On initial installation it creates world-readable /etc/mysql/debian.cnf, writes a password and then revokes privileges. This makes little theoretical gap when attacker may intercept debian-sys-maint password.

Also password goes via a number of echo calls. It might be alright since echo is bash builtin. But echo has rather poor reputation as a tool for handling passwords.

In addition to that REPLACE statement against mysqld --bootstrap is used to update password:

  • it bypasses password validation plugins
  • it bypasses audit plugins
  • it increases installation time (it has to run rather heavy mysqld)
  • as well as it increases mysqld downtime
  • it may fail if database has some plugin specific configs (see MDEV-8437)

 Comments   
Comment by Sergey Vojtovich [ 2015-12-21 ]

serg, please review fix for this bug.

Comment by Otto Kekäläinen [ 2015-12-22 ]

This bug was also reported and fixed in Debian a long time ago. Fix was done using umask: https://github.com/ottok/mariadb-10.0/blob/master/debian/mariadb-server-10.0.postinst#L130

I see the code has umasks twice, I am not sure why, but nevertheless I thought I'd mention this.

Comment by Sergey Vojtovich [ 2015-12-22 ]

serg, I merged fix from Otto's tree to 10.1. Could you confirm it is fine with you?

Comment by Sergei Golubchik [ 2015-12-22 ]

ok to push

Generated at Thu Feb 08 07:31:59 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.