Bug 24116 - Mysql log world readable
Mysql log world readable
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: mysql (Show other bugs)
7.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Patrick Macdonald
David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-01-16 11:08 EST by Paul Nasrat
Modified: 2007-04-18 12:30 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-01-16 11:54:04 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch for mysql.init (377 bytes, patch)
2001-01-16 11:09 EST, Paul Nasrat
no flags Details | Diff

  None (edit)
Description Paul Nasrat 2001-01-16 11:08:06 EST
Saw this on vuln-dev:

X-Mailer: Privacyx.com Anonymous Certificate Authority
Date:         Sun, 14 Jan 2001 16:29:08 +0200
From: Narrow <nss@PRIVACYX.COM>
Subject:      mysqld log file
To: VULN-DEV@SECURITYFOCUS.COM

Tested on Red Hat 7.0:

[narrow@tornado /]$ cat /var/log/mysqld.log | grep "Password=PASSWORD"
001225 21:08:18       7 Query      UPDATE user SET
Password=PASSWORD('rewt') WHERE user='root'
[narrow@tornado /]$

Here we have the password for user 'root'.

--
Narrow - nss@privacyx.com - http://www.zone.ee/unix/ - Estonia

I've checket this out and indeed it seems that the log started in
/etc/rc.d/init.d/mysqld is created world-readable.  Setting passwords
through mysqladmin is unaffected but manual setting using

insert into user (host,user,password)
values ('localhost','paul',password('seethis'));

Is visible.

Quick fix - add chmod 660 /var/log/mysqld.log in init.d script (need to
check post logrotate perms...)

I guess this needs to be added to mysql.init in ths SRPM
Comment 1 Paul Nasrat 2001-01-16 11:09:19 EST
Created attachment 7688 [details]
Patch for mysql.init
Comment 2 Paul Nasrat 2001-01-16 11:54:00 EST
logrotate script set as create 0644 mysql root - change to 0640

--- mysql.logrotate.orig	Tue Jan 16 15:59:53 2001
+++ mysql.logrotate	Tue Jan 16 16:00:04 2001
@@ -1,6 +1,6 @@
 /var/log/mysqld.log {
     missingok
-    create 0644 mysql root
+    create 0640 mysql root
     prerotate
 	[ -e /var/lock/subsys/mysqld ] && mysqladmin flush-logs
     endscript
Comment 3 Trond Eivind Glomsrxd 2001-01-16 19:34:26 EST
Fixed in 3.23.30-2, available from Rawhide soonish and
http://people.redhat.com/teg/db/ now/

Note You need to log in before you can comment on or make changes to this bug.