Saw this on vuln-dev: X-Mailer: Privacyx.com Anonymous Certificate Authority Date: Sun, 14 Jan 2001 16:29:08 +0200 From: Narrow <nss> Subject: mysqld log file To: VULN-DEV Tested on Red Hat 7.0: [narrow@tornado /]$ cat /var/log/mysqld.log | grep "Password=PASSWORD" 001225 21:08:18 7 Query UPDATE user SET Password=PASSWORD('rewt') WHERE user='root' [narrow@tornado /]$ Here we have the password for user 'root'. -- Narrow - nss - http://www.zone.ee/unix/ - Estonia I've checket this out and indeed it seems that the log started in /etc/rc.d/init.d/mysqld is created world-readable. Setting passwords through mysqladmin is unaffected but manual setting using insert into user (host,user,password) values ('localhost','paul',password('seethis')); Is visible. Quick fix - add chmod 660 /var/log/mysqld.log in init.d script (need to check post logrotate perms...) I guess this needs to be added to mysql.init in ths SRPM
Created attachment 7688 [details] Patch for mysql.init
logrotate script set as create 0644 mysql root - change to 0640 --- mysql.logrotate.orig Tue Jan 16 15:59:53 2001 +++ mysql.logrotate Tue Jan 16 16:00:04 2001 @@ -1,6 +1,6 @@ /var/log/mysqld.log { missingok - create 0644 mysql root + create 0640 mysql root prerotate [ -e /var/lock/subsys/mysqld ] && mysqladmin flush-logs endscript
Fixed in 3.23.30-2, available from Rawhide soonish and http://people.redhat.com/teg/db/ now/