Package: mysql-server
Version: 5.5.31+dfsg-0+wheezy1
Tags: security
The file "/etc/mysql/debian.cnf", which contains plain text credentials
for the "debian-sys-maint" mysql user, is created in an insecure manner
during the package installation phase. This can lead a non-privileged
local user to disclose its content and use this special account to
perform administration tasks.
The file is created by the post-installation script:
$ vim -c "set nu" mysql-5.5-5.5.31+dfsg/debian/mysql-server-5.5.postinst
[...]
170 dc=$mysql_cfgdir/debian.cnf;
[...]
176 cat /dev/null > $dc
[...]
178 echo "[client]" >>$dc
179 echo "host = localhost" >>$dc
180 echo "user = debian-sys-maint" >>$dc
181 echo "password = $pass" >>$dc
[...]
191 chown 0:0 $dc
192 chmod 0600 $dc
There is a time lapse (between lines 176 and 191) where the file
permissions are 644 (settled by the default umask). At this time, a
user can open the file with the O_RDONLY flag and disclose its content
even after the chmod is executed at line 192 (yes, the user's file
descriptor won't be affected by this action).
Anyway, I suggest to force a umask value to 077 before this file is
created.
I have a trivial PoC if needed.
Thanks,
vladz.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
