'mysql' charm exposes mysql-root password

Bug #1040165 reported by Kurt Huwig on 2012-08-22
This bug affects 1 person
Affects Status Importance Assigned to Milestone
juju (Ubuntu)
mysql (Juju Charms Collection)
Status tracked in Precise

Bug Description

The 'mysql' charm exposes the mysql-root password within its install hook:


echo $PASSWORD >> /var/lib/juju/mysql.passwd

which is readable for others:

drwxr-xr-x 5 root root 4096 Aug 22 11:41 /var/lib/juju/
-rw-r--r-- 1 root root 37 Aug 22 11:41 /var/lib/juju/mysql.passwd

This allows any local user to gain root access to MySQL:

$ mysql -u root mysql
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)

$ mysql -u root -p$(cat /var/lib/juju/mysql.passwd) mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Related branches

affects: juju (Ubuntu) → charms
affects: charms → mysql (Juju Charms Collection)
Kurt Huwig (k-huwig-f) wrote :

The append to the file does also look wrong, as it is used like this in db-relation-joined:

# Get the mysql password that was generated by the install hook
password=`cat /var/lib/juju/mysql.passwd`

Mark Mims (mark-mims) on 2012-08-22
Changed in mysql (Charms Precise):
status: New → Fix Released
Mark Mims (mark-mims) wrote :

also submitting a patch for the juju example charms in trunk

Changed in mysql (Charms Oneiric):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package juju - 0.5+bzr531-0ubuntu1.3

juju (0.5+bzr531-0ubuntu1.3) precise-security; urgency=low

  * SECURITY UPDATE: d/p/upstream-543.patch: Disable password authentication
    on LXC containers created in the local provider. (LP: #1016428)
  * SECURITY UPDATE: d/p/upstream-564.patch: Fix example mysql charm to
    not expose root mysql password to all users. (LP: #1040165)
  * SECURITY UPDATE: d/p/upstream-565.patch: Verify charm store hostname
    matches hostname on SSL certificate. (LP: #992447)
 -- Clint Byrum <email address hidden> Thu, 23 Aug 2012 17:12:26 -0700

Changed in juju (Ubuntu):
status: New → Fix Released
Changed in juju:
status: New → Fix Committed
visibility: private → public
Changed in juju:
milestone: none → 0.6
importance: Undecided → Critical
importance: Critical → Medium
Changed in juju:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers