Debian: insecure debian-sys-maint password handling

Description

There's this code in debian/mariadb-server-10.1.postinst script:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 dc=$mysql_cfgdir/debian.cnf; if [ -e "$dc" -a -n "`fgrep mysql_upgrade $dc 2>/dev/null`" ]; then pass="`sed -n 's/^[ ]*password *= *// p' $dc | head -n 1`" else pass=`perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)'`; if [ ! -d "$mysql_cfgdir" ]; then install -o 0 -g 0 -m 0755 -d $mysql_cfgdir; fi cat /dev/null > $dc echo "# Automatically generated for Debian scripts. DO NOT TOUCH!" >>$dc echo "[client]" >>$dc echo "host = localhost" >>$dc echo "user = debian-sys-maint" >>$dc echo "password = $pass" >>$dc echo "socket = $mysql_rundir/mysqld.sock" >>$dc echo "[mysql_upgrade]" >>$dc echo "host = localhost" >>$dc echo "user = debian-sys-maint" >>$dc echo "password = $pass" >>$dc echo "socket = $mysql_rundir/mysqld.sock" >>$dc echo "basedir = /usr" >>$dc fi # If this dir chmod go+w then the admin did it. But this file should not. chown 0:0 $dc chmod 0600 $dc replace_query=`/bin/echo -e \ "USE mysql;\n" \ "SET sql_mode='';\n" \ "REPLACE INTO user SET " \ " host='localhost', user='debian-sys-maint', password=password('$pass'), " \ " Select_priv='Y', Insert_priv='Y', Update_priv='Y', Delete_priv='Y', " \ " Create_priv='Y', Drop_priv='Y', Reload_priv='Y', Shutdown_priv='Y', " \ " Process_priv='Y', File_priv='Y', Grant_priv='Y', References_priv='Y', " \ " Index_priv='Y', Alter_priv='Y', Super_priv='Y', Show_db_priv='Y', "\ " Create_tmp_table_priv='Y', Lock_tables_priv='Y', Execute_priv='Y', "\ " Repl_slave_priv='Y', Repl_client_priv='Y', Create_view_priv='Y', "\ " Show_view_priv='Y', Create_routine_priv='Y', Alter_routine_priv='Y', "\ " Create_user_priv='Y', Event_priv='Y', Trigger_priv='Y',"\ " ssl_cipher='', x509_issuer='', x509_subject='';"`; db_get mysql-server/root_password && rootpw="$RET" if ! set_mysql_rootpw; then password_error="yes" fi set +e echo "$replace_query" | $MYSQL_BOOTSTRAP 2>&1 | $ERR_LOGGER set -e

On initial installation it creates world-readable /etc/mysql/debian.cnf, writes a password and then revokes privileges. This makes little theoretical gap when attacker may intercept debian-sys-maint password.

Also password goes via a number of echo calls. It might be alright since echo is bash builtin. But echo has rather poor reputation as a tool for handling passwords.

In addition to that REPLACE statement against mysqld --bootstrap is used to update password:

  • it bypasses password validation plugins

  • it bypasses audit plugins

  • it increases installation time (it has to run rather heavy mysqld)

  • as well as it increases mysqld downtime

  • it may fail if database has some plugin specific configs (see MDEV-8437)

Environment

None

Status

Assignee

Sergey Vojtovich

Reporter

Sergey Vojtovich

Labels

None

External issue ID

None

External issue ID

None

Components

Sprint

None

Fix versions

Affects versions

10.0
10.1
5.5

Priority

Major
Configure