'mysql' charm exposes mysql-root password

Bug #1040165 reported by Kurt Huwig on 2012-08-22
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pyjuju
Medium
Unassigned
0.5
Medium
Unassigned
juju (Ubuntu)
Undecided
Unassigned
mysql (Juju Charms Collection)
Status tracked in Precise
Oneiric
Undecided
Unassigned
Precise
Undecided
Unassigned

Bug Description

The 'mysql' charm exposes the mysql-root password within its install hook:

/usr/share/doc/juju/examples/precise/mysql/hooks/install:

echo $PASSWORD >> /var/lib/juju/mysql.passwd

which is readable for others:

drwxr-xr-x 5 root root 4096 Aug 22 11:41 /var/lib/juju/
-rw-r--r-- 1 root root 37 Aug 22 11:41 /var/lib/juju/mysql.passwd

This allows any local user to gain root access to MySQL:

$ mysql -u root mysql
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)

$ mysql -u root -p$(cat /var/lib/juju/mysql.passwd) mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Related branches

affects: juju (Ubuntu) → charms
affects: charms → mysql (Juju Charms Collection)
Kurt Huwig (k-huwig-f) wrote :

The append to the file does also look wrong, as it is used like this in db-relation-joined:

# Get the mysql password that was generated by the install hook
password=`cat /var/lib/juju/mysql.passwd`

Mark Mims (mark-mims) on 2012-08-22
Changed in mysql (Charms Precise):
status: New → Fix Released
Mark Mims (mark-mims) wrote :

also submitting a patch for the juju example charms in trunk

Changed in mysql (Charms Oneiric):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package juju - 0.5+bzr531-0ubuntu1.3

---------------
juju (0.5+bzr531-0ubuntu1.3) precise-security; urgency=low

  * SECURITY UPDATE: d/p/upstream-543.patch: Disable password authentication
    on LXC containers created in the local provider. (LP: #1016428)
  * SECURITY UPDATE: d/p/upstream-564.patch: Fix example mysql charm to
    not expose root mysql password to all users. (LP: #1040165)
  * SECURITY UPDATE: d/p/upstream-565.patch: Verify charm store hostname
    matches hostname on SSL certificate. (LP: #992447)
 -- Clint Byrum <email address hidden> Thu, 23 Aug 2012 17:12:26 -0700

Changed in juju (Ubuntu):
status: New → Fix Released
Changed in juju:
status: New → Fix Committed
visibility: private → public
Changed in juju:
milestone: none → 0.6
importance: Undecided → Critical
importance: Critical → Medium
Changed in juju:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers