Uploaded image for project: 'MariaDB Server'
  1. MDEV-9081

Debian: insecure debian-sys-maint password handling

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects versions: 5.5, 10.0, 10.1
    • Fix versions: 10.1.10
    • Components: Packaging, Platform Debian
    • Labels:
      None
    • Sprint:
      10.1.10

      Description

      There's this code in debian/mariadb-server-10.1.postinst script:

          dc=$mysql_cfgdir/debian.cnf;
          if [ -e "$dc" -a -n "`fgrep mysql_upgrade $dc 2>/dev/null`" ]; then
              pass="`sed -n 's/^[     ]*password *= *// p' $dc | head -n 1`"
          else
              pass=`perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)'`;
              if [ ! -d "$mysql_cfgdir" ]; then install -o 0 -g 0 -m 0755 -d $mysql_cfgdir; fi
              cat /dev/null > $dc
              echo "# Automatically generated for Debian scripts. DO NOT TOUCH!" >>$dc
              echo "[client]"                                                    >>$dc
              echo "host     = localhost"                                        >>$dc
              echo "user     = debian-sys-maint"                                 >>$dc
              echo "password = $pass"                                            >>$dc
              echo "socket   = $mysql_rundir/mysqld.sock"                        >>$dc
              echo "[mysql_upgrade]"                                             >>$dc
              echo "host     = localhost"                                        >>$dc
              echo "user     = debian-sys-maint"                                 >>$dc
              echo "password = $pass"                                            >>$dc
              echo "socket   = $mysql_rundir/mysqld.sock"                        >>$dc
              echo "basedir  = /usr"                                             >>$dc
          fi
          # If this dir chmod go+w then the admin did it. But this file should not.
          chown 0:0 $dc
          chmod 0600 $dc
      
          replace_query=`/bin/echo -e \
              "USE mysql;\n" \
              "SET sql_mode='';\n" \
              "REPLACE INTO user SET " \
              "  host='localhost', user='debian-sys-maint', password=password('$pass'), " \
              "  Select_priv='Y', Insert_priv='Y', Update_priv='Y', Delete_priv='Y', " \
              "  Create_priv='Y', Drop_priv='Y', Reload_priv='Y', Shutdown_priv='Y', " \
              "  Process_priv='Y',  File_priv='Y', Grant_priv='Y', References_priv='Y', " \
              "  Index_priv='Y', Alter_priv='Y', Super_priv='Y', Show_db_priv='Y', "\
              "  Create_tmp_table_priv='Y', Lock_tables_priv='Y', Execute_priv='Y', "\
              "  Repl_slave_priv='Y', Repl_client_priv='Y', Create_view_priv='Y', "\
              "  Show_view_priv='Y', Create_routine_priv='Y', Alter_routine_priv='Y', "\
              "  Create_user_priv='Y', Event_priv='Y', Trigger_priv='Y',"\
              "  ssl_cipher='', x509_issuer='', x509_subject='';"`;
      
          db_get mysql-server/root_password && rootpw="$RET"
          if ! set_mysql_rootpw; then
              password_error="yes"
          fi
      
          set +e
          echo "$replace_query"                                    | $MYSQL_BOOTSTRAP 2>&1 | $ERR_LOGGER
          set -e
      

      On initial installation it creates world-readable /etc/mysql/debian.cnf, writes a password and then revokes privileges. This makes little theoretical gap when attacker may intercept debian-sys-maint password.

      Also password goes via a number of echo calls. It might be alright since echo is bash builtin. But echo has rather poor reputation as a tool for handling passwords.

      In addition to that REPLACE statement against mysqld --bootstrap is used to update password:

      • it bypasses password validation plugins
      • it bypasses audit plugins
      • it increases installation time (it has to run rather heavy mysqld)
      • as well as it increases mysqld downtime
      • it may fail if database has some plugin specific configs (see MDEV-8437 Closed )

        Attachments

          Issue links

            Activity

              People

              • Assignee:
                svoj Sergey Vojtovich
                Reporter:
                svoj Sergey Vojtovich
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 8 minutes
                  8m