root-enable gives access to create unnnoticed root-like users
Bug #1472655 reported by
Sushil Kumar
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack DBaaS (Trove) |
In Progress
|
High
|
Petr Malik |
Bug Description
A security hole exists where a user can create an alternate root user, using following workflow
1. create an instance.
2. enable root
3. create another user manually after logging into database, and grant full access.
4. delete 'root'@'%' user.
5. backup the instance.
6. restore the backup to another instance, now this new instance has a root-access user without the knowledge of deployer.
Changed in trove: | |
assignee: | nobody → Sushil Kumar (sushil-kumar2) |
Changed in trove: | |
importance: | Undecided → Critical |
Changed in trove: | |
status: | New → In Progress |
Changed in trove: | |
milestone: | none → liberty-2 |
Changed in trove: | |
importance: | Critical → High |
Changed in trove: | |
milestone: | liberty-2 → liberty-3 |
Changed in trove: | |
milestone: | liberty-3 → ongoing |
Changed in trove: | |
milestone: | ongoing → newton-1 |
assignee: | Sushil Kumar (sushil-kumar2) → nobody |
Changed in trove: | |
assignee: | nobody → Petr Malik (pmalik) |
Changed in trove: | |
milestone: | newton-1 → ongoing |
To post a comment you must log in.
I suggest you enter a BP for this