Bug 24116 - Mysql log world readable
Summary: Mysql log world readable
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: mysql   
(Show other bugs)
Version: 7.0
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Patrick Macdonald
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-01-16 16:08 UTC by Paul Nasrat
Modified: 2007-04-18 16:30 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-01-16 16:54:04 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch for mysql.init (377 bytes, patch)
2001-01-16 16:09 UTC, Paul Nasrat
no flags Details | Diff

Description Paul Nasrat 2001-01-16 16:08:06 UTC
Saw this on vuln-dev:

X-Mailer: Privacyx.com Anonymous Certificate Authority
Date:         Sun, 14 Jan 2001 16:29:08 +0200
From: Narrow <nss@PRIVACYX.COM>
Subject:      mysqld log file
To: VULN-DEV@SECURITYFOCUS.COM

Tested on Red Hat 7.0:

[narrow@tornado /]$ cat /var/log/mysqld.log | grep "Password=PASSWORD"
001225 21:08:18       7 Query      UPDATE user SET
Password=PASSWORD('rewt') WHERE user='root'
[narrow@tornado /]$

Here we have the password for user 'root'.

--
Narrow - nss@privacyx.com - http://www.zone.ee/unix/ - Estonia

I've checket this out and indeed it seems that the log started in
/etc/rc.d/init.d/mysqld is created world-readable.  Setting passwords
through mysqladmin is unaffected but manual setting using

insert into user (host,user,password)
values ('localhost','paul',password('seethis'));

Is visible.

Quick fix - add chmod 660 /var/log/mysqld.log in init.d script (need to
check post logrotate perms...)

I guess this needs to be added to mysql.init in ths SRPM

Comment 1 Paul Nasrat 2001-01-16 16:09:19 UTC
Created attachment 7688 [details]
Patch for mysql.init

Comment 2 Paul Nasrat 2001-01-16 16:54:00 UTC
logrotate script set as create 0644 mysql root - change to 0640

--- mysql.logrotate.orig	Tue Jan 16 15:59:53 2001
+++ mysql.logrotate	Tue Jan 16 16:00:04 2001
@@ -1,6 +1,6 @@
 /var/log/mysqld.log {
     missingok
-    create 0644 mysql root
+    create 0640 mysql root
     prerotate
 	[ -e /var/lock/subsys/mysqld ] && mysqladmin flush-logs
     endscript

Comment 3 Trond Eivind Glomsrxd 2001-01-17 00:34:26 UTC
Fixed in 3.23.30-2, available from Rawhide soonish and
http://people.redhat.com/teg/db/ now/


Note You need to log in before you can comment on or make changes to this bug.