[Bug 834828] New: log created from create_mysqldb.sh exposes password
https://bugzilla.novell.com/show_bug.cgi?id=834828 https://bugzilla.novell.com/show_bug.cgi?id=834828#c0 Summary: log created from create_mysqldb.sh exposes password Classification: openSUSE Product: openSUSE Factory Version: 13.1 Milestone 4 Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: thardeck@suse.com ReportedBy: lrupp@suse.com QAContact: qa-bugs@suse.de Found By: Development Blocker: --- Running create_mysqldb.sh in /usr/share/doc/packages/icinga-idoutils-mysql/examples results in a logfile /usr/share/doc/packages/icinga-idoutils-mysql/examples/create_mysqldb.log that contains the password for the user that has "SELECT , INSERT , UPDATE , DELETE" rights for the icinga database. Under normal circumstances, this logfile has permissions 644. Suggested fix: either use umask inside the script or create the file before writing to it with more secure permissions. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=834828 https://bugzilla.novell.com/show_bug.cgi?id=834828#c1 Tim Hardeck <thardeck@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |lrupp@suse.com --- Comment #1 from Tim Hardeck <thardeck@suse.com> 2013-08-16 13:32:10 UTC --- I am not sure if this is really a bug since you need to add the db user and password to the script anyway so if you don't copy the script to a protected location you have the same issue. So we could either change the permissions of examples to only root readable which would be quite a severe impact, ignore this issue since the users should know better if they add the details to the script on their own or remove it. It is not really supported by upstream anyway. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=834828 https://bugzilla.novell.com/show_bug.cgi?id=834828#c2 Lars Vogdt <lrupp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|lrupp@suse.com | --- Comment #2 from Lars Vogdt <lrupp@suse.com> 2013-08-16 16:39:49 CEST --- Created an attachment (id=552900) --> (http://bugzilla.novell.com/attachment.cgi?id=552900) Patch requesting the password from the user (In reply to comment #1)
I am not sure if this is really a bug since you need to add the db user and password to the script anyway so if you don't copy the script to a protected location you have the same issue.
What about this simple patch to avoid that all installations get the same password? Using pwgen might also be an option, but would introduce a new dependency. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=834828 https://bugzilla.novell.com/show_bug.cgi?id=834828#c Cornelius Schumacher <cschum@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|thardeck@suse.com |bgeuken@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=834828 https://bugzilla.novell.com/show_bug.cgi?id=834828#c3 Tim Hardeck <thardeck@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |thardeck@suse.com Resolution| |FIXED AssignedTo|bgeuken@suse.com |thardeck@suse.com --- Comment #3 from Tim Hardeck <thardeck@suse.com> 2013-08-27 12:31:19 UTC --- I have reported this upstream under https://dev.icinga.org/issues/4565. My patch uses the upstream fix for the log file with your suggestions. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=834828 https://bugzilla.novell.com/show_bug.cgi?id=834828#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |obs:running:2452:moderate -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=834828 https://bugzilla.novell.com/show_bug.cgi?id=834828#c4 --- Comment #4 from Swamp Workflow Management <swamp@suse.de> 2014-01-20 11:05:49 UTC --- openSUSE-SU-2014:0097-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 834828,851619,856837 CVE References: CVE-2013-7108 Sources used: openSUSE 12.3 (src): icinga-1.10.2-2.4.1, nagios-rpm-macros-0.08-2.8.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=834828 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|obs:running:2452:moderate | -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com