Re: [Maria-developers] [Commits] 063967b: MDEV-9081 - Debian: insecure debian-sys-maint password handling
Hi, Sergey! On Dec 21, Sergey Vojtovich wrote:
revision-id: 063967b1e447f0fc908a1ec0224fd7c1d268bf17 (mariadb-10.1.9-25-g063967b) parent(s): 370ab48e9fcf4bc15ffa5e313fc34aa97981a832 committer: Sergey Vojtovich timestamp: 2015-12-21 14:40:41 +0400 message:
MDEV-9081 - Debian: insecure debian-sys-maint password handling
Set file permission before password is actually written. This is a quick fix to close security gap. To be replaced by MDEV-8375 - passwordless root login.
diff --git a/debian/mariadb-server-10.1.postinst b/debian/mariadb-server-10.1.postinst index 0f35802..069c25e 100644 --- a/debian/mariadb-server-10.1.postinst +++ b/debian/mariadb-server-10.1.postinst @@ -158,6 +158,8 @@ EOF pass=`perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)'`; if [ ! -d "$mysql_cfgdir" ]; then install -o 0 -g 0 -m 0755 -d $mysql_cfgdir; fi cat /dev/null > $dc + chown 0:0 $dc
is that needed? (not that it hurts, but still...)
+ chmod 0600 $dc
ok. what about other issues you've mentioned in this MDEV-9081? besides, what the plan for moving to unix_socket auth?
echo "# Automatically generated for Debian scripts. DO NOT TOUCH!" >>$dc echo "[client]" >>$dc echo "host = localhost" >>$dc
Regards, Sergei Chief Architect MariaDB and security@mariadb.org -- Vote for my Percona Live 2016 talks: https://www.percona.com/live/data-performance-conference-2016/sessions/maria... https://www.percona.com/live/data-performance-conference-2016/sessions/maria...
Hi Sergei, On Mon, Dec 21, 2015 at 12:50:05PM +0100, Sergei Golubchik wrote:
Hi, Sergey!
On Dec 21, Sergey Vojtovich wrote:
revision-id: 063967b1e447f0fc908a1ec0224fd7c1d268bf17 (mariadb-10.1.9-25-g063967b) parent(s): 370ab48e9fcf4bc15ffa5e313fc34aa97981a832 committer: Sergey Vojtovich timestamp: 2015-12-21 14:40:41 +0400 message:
MDEV-9081 - Debian: insecure debian-sys-maint password handling
Set file permission before password is actually written. This is a quick fix to close security gap. To be replaced by MDEV-8375 - passwordless root login.
diff --git a/debian/mariadb-server-10.1.postinst b/debian/mariadb-server-10.1.postinst index 0f35802..069c25e 100644 --- a/debian/mariadb-server-10.1.postinst +++ b/debian/mariadb-server-10.1.postinst @@ -158,6 +158,8 @@ EOF pass=`perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)'`; if [ ! -d "$mysql_cfgdir" ]; then install -o 0 -g 0 -m 0755 -d $mysql_cfgdir; fi cat /dev/null > $dc + chown 0:0 $dc
is that needed? (not that it hurts, but still...) Not needed because this script is always executed by root? Not sure, I just copied this from a few lines below.
+ chmod 0600 $dc
ok. what about other issues you've mentioned in this MDEV-9081?
echo, while it has bad reputation seem to be more or less alright. At least I couldn't intercept it. REPLACE is not solved, but will be solved by unix_socket auth.
besides, what the plan for moving to unix_socket auth? Strictly speaking there is no plan. If you're asking for my opinion: I like it. I'd avoid such massive changes to not very well tested scripts in GA versions. 10.2 seem to be reasonable target version.
I could probably do that over the next week, or some time in February/March. Thanks, Sergey
Hi, Sergey! On Dec 21, Sergey Vojtovich wrote:
On Mon, Dec 21, 2015 at 12:50:05PM +0100, Sergei Golubchik wrote:
On Dec 21, Sergey Vojtovich wrote:
revision-id: 063967b1e447f0fc908a1ec0224fd7c1d268bf17 (mariadb-10.1.9-25-g063967b) parent(s): 370ab48e9fcf4bc15ffa5e313fc34aa97981a832 committer: Sergey Vojtovich timestamp: 2015-12-21 14:40:41 +0400 message:
MDEV-9081 - Debian: insecure debian-sys-maint password handling
Set file permission before password is actually written. This is a quick fix to close security gap. To be replaced by MDEV-8375 - passwordless root login.
diff --git a/debian/mariadb-server-10.1.postinst b/debian/mariadb-server-10.1.postinst index 0f35802..069c25e 100644 --- a/debian/mariadb-server-10.1.postinst +++ b/debian/mariadb-server-10.1.postinst @@ -158,6 +158,8 @@ EOF pass=`perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)'`; if [ ! -d "$mysql_cfgdir" ]; then install -o 0 -g 0 -m 0755 -d $mysql_cfgdir; fi cat /dev/null > $dc + chown 0:0 $dc
is that needed? (not that it hurts, but still...)
Not needed because this script is always executed by root? Not sure, I just copied this from a few lines below.
ok, thanks
+ chmod 0600 $dc
ok. what about other issues you've mentioned in this MDEV-9081? echo, while it has bad reputation seem to be more or less alright. At least I couldn't intercept it.
ok
REPLACE is not solved, but will be solved by unix_socket auth.
besides, what the plan for moving to unix_socket auth? Strictly speaking there is no plan. If you're asking for my opinion: I like it. I'd avoid such massive changes to not very well tested scripts in GA versions. 10.2 seem to be reasonable target version.
I could probably do that over the next week, or some time in February/March.
my point was - if unix_socket comes soon, why bother fixing these issues? and it not, then "will be solved by unix_socket" is not an excuse we can use. Regards, Sergei Chief Architect MariaDB and security@mariadb.org -- Vote for my Percona Live 2016 talks: https://www.percona.com/live/data-performance-conference-2016/sessions/maria... https://www.percona.com/live/data-performance-conference-2016/sessions/maria...
Hi Sergei, On Mon, Dec 21, 2015 at 01:45:27PM +0100, Sergei Golubchik wrote: ...skip...
besides, what the plan for moving to unix_socket auth? Strictly speaking there is no plan. If you're asking for my opinion: I like it. I'd avoid such massive changes to not very well tested scripts in GA versions. 10.2 seem to be reasonable target version.
I could probably do that over the next week, or some time in February/March.
my point was - if unix_socket comes soon, why bother fixing these issues? and it not, then "will be solved by unix_socket" is not an excuse we can use. I'm fine if we agree to port unix socket to 10.2 and leave previous versions unfixed.
Regards, Sergey
Hi, Sergey! On Dec 21, Sergey Vojtovich wrote:
On Mon, Dec 21, 2015 at 01:45:27PM +0100, Sergei Golubchik wrote:
besides, what the plan for moving to unix_socket auth? Strictly speaking there is no plan. If you're asking for my opinion: I like it. I'd avoid such massive changes to not very well tested scripts in GA versions. 10.2 seem to be reasonable target version.
I could probably do that over the next week, or some time in February/March.
my point was - if unix_socket comes soon, why bother fixing these issues? and it not, then "will be solved by unix_socket" is not an excuse we can use. I'm fine if we agree to port unix socket to 10.2 and leave previous versions unfixed.
Okay, let's do that. Let's just push the chmod fix, it's the only security-relevant issue in your MDEV. But now I'm thinking that your fix isn't bullet-proof either, it makes the window smaller but doesn't eliminate it. A safe version could be something like sh -c 'umask 0077 && touch /secret/file' Regards, Sergei
Hi Sergei, On Mon, Dec 21, 2015 at 08:22:51PM +0100, Sergei Golubchik wrote:
Hi, Sergey!
On Dec 21, Sergey Vojtovich wrote:
On Mon, Dec 21, 2015 at 01:45:27PM +0100, Sergei Golubchik wrote:
besides, what the plan for moving to unix_socket auth? Strictly speaking there is no plan. If you're asking for my opinion: I like it. I'd avoid such massive changes to not very well tested scripts in GA versions. 10.2 seem to be reasonable target version.
I could probably do that over the next week, or some time in February/March.
my point was - if unix_socket comes soon, why bother fixing these issues? and it not, then "will be solved by unix_socket" is not an excuse we can use. I'm fine if we agree to port unix socket to 10.2 and leave previous versions unfixed.
Okay, let's do that.
Let's just push the chmod fix, it's the only security-relevant issue in your MDEV. But now I'm thinking that your fix isn't bullet-proof either, it makes the window smaller but doesn't eliminate it. Push it just to 10.1? Just chmod and no chown? I don't mind, but it deviates from original behavior.
A safe version could be something like
sh -c 'umask 0077 && touch /secret/file'
You're right, permission is checked on open and not on subsequent IO. I'll fix it. Thanks, Sergey
participants (2)
-
Sergei Golubchik -
Sergey Vojtovich