We're updating the issue view to help you get more done. 

Debian: insecure debian-sys-maint password handling

Description

There's this code in debian/mariadb-server-10.1.postinst script:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 dc=$mysql_cfgdir/debian.cnf; if [ -e "$dc" -a -n "`fgrep mysql_upgrade $dc 2>/dev/null`" ]; then pass="`sed -n 's/^[ ]*password *= *// p' $dc | head -n 1`" else pass=`perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)'`; if [ ! -d "$mysql_cfgdir" ]; then install -o 0 -g 0 -m 0755 -d $mysql_cfgdir; fi cat /dev/null > $dc echo "# Automatically generated for Debian scripts. DO NOT TOUCH!" >>$dc echo "[client]" >>$dc echo "host = localhost" >>$dc echo "user = debian-sys-maint" >>$dc echo "password = $pass" >>$dc echo "socket = $mysql_rundir/mysqld.sock" >>$dc echo "[mysql_upgrade]" >>$dc echo "host = localhost" >>$dc echo "user = debian-sys-maint" >>$dc echo "password = $pass" >>$dc echo "socket = $mysql_rundir/mysqld.sock" >>$dc echo "basedir = /usr" >>$dc fi # If this dir chmod go+w then the admin did it. But this file should not. chown 0:0 $dc chmod 0600 $dc replace_query=`/bin/echo -e \ "USE mysql;\n" \ "SET sql_mode='';\n" \ "REPLACE INTO user SET " \ " host='localhost', user='debian-sys-maint', password=password('$pass'), " \ " Select_priv='Y', Insert_priv='Y', Update_priv='Y', Delete_priv='Y', " \ " Create_priv='Y', Drop_priv='Y', Reload_priv='Y', Shutdown_priv='Y', " \ " Process_priv='Y', File_priv='Y', Grant_priv='Y', References_priv='Y', " \ " Index_priv='Y', Alter_priv='Y', Super_priv='Y', Show_db_priv='Y', "\ " Create_tmp_table_priv='Y', Lock_tables_priv='Y', Execute_priv='Y', "\ " Repl_slave_priv='Y', Repl_client_priv='Y', Create_view_priv='Y', "\ " Show_view_priv='Y', Create_routine_priv='Y', Alter_routine_priv='Y', "\ " Create_user_priv='Y', Event_priv='Y', Trigger_priv='Y',"\ " ssl_cipher='', x509_issuer='', x509_subject='';"`; db_get mysql-server/root_password && rootpw="$RET" if ! set_mysql_rootpw; then password_error="yes" fi set +e echo "$replace_query" | $MYSQL_BOOTSTRAP 2>&1 | $ERR_LOGGER set -e

On initial installation it creates world-readable /etc/mysql/debian.cnf, writes a password and then revokes privileges. This makes little theoretical gap when attacker may intercept debian-sys-maint password.

Also password goes via a number of echo calls. It might be alright since echo is bash builtin. But echo has rather poor reputation as a tool for handling passwords.

In addition to that REPLACE statement against mysqld --bootstrap is used to update password:

  • it bypasses password validation plugins

  • it bypasses audit plugins

  • it increases installation time (it has to run rather heavy mysqld)

  • as well as it increases mysqld downtime

  • it may fail if database has some plugin specific configs (see MDEV-8437)

Environment

None

Status

Assignee

Sergey Vojtovich

Reporter

Sergey Vojtovich

Components

Sprint

None

Fix versions

Affects versions

5.5
10.0
10.1

Priority

Major