'mysql' charm exposes mysql-root password
Bug #1040165 reported by
Kurt Huwig
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
pyjuju |
Fix Released
|
Medium
|
Unassigned | |||
0.5 |
Fix Released
|
Medium
|
Unassigned | |||
juju (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | |||
mysql (Juju Charms Collection) | Status tracked in Precise | |||||
Oneiric |
Fix Released
|
Undecided
|
Unassigned | |||
Precise |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
The 'mysql' charm exposes the mysql-root password within its install hook:
/usr/share/
echo $PASSWORD >> /var/lib/
which is readable for others:
drwxr-xr-x 5 root root 4096 Aug 22 11:41 /var/lib/juju/
-rw-r--r-- 1 root root 37 Aug 22 11:41 /var/lib/
This allows any local user to gain root access to MySQL:
$ mysql -u root mysql
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
$ mysql -u root -p$(cat /var/lib/
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Related branches
lp:~mark-mims/pyjuju/update-mysql-example-charm
- Clint Byrum (community): Approve
-
Diff: 19 lines (+8/-1)1 file modifiedexamples/precise/mysql/hooks/install (+8/-1)
affects: | juju (Ubuntu) → charms |
affects: | charms → mysql (Juju Charms Collection) |
Changed in mysql (Charms Precise): | |
status: | New → Fix Released |
Changed in juju: | |
status: | New → Fix Committed |
visibility: | private → public |
Changed in juju: | |
milestone: | none → 0.6 |
importance: | Undecided → Critical |
importance: | Critical → Medium |
Changed in juju: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
The append to the file does also look wrong, as it is used like this in db-relation-joined:
# Get the mysql password that was generated by the install hook juju/mysql. passwd`
password=`cat /var/lib/