>Description:
User able to (accidentally!!) change/reset their own password despite not having *any*
access to the mysql database
>How-To-Repeat
There's the trick. We can't reproduce but this happened twice. However the
setup of our (very recent) mysql installation is so simple that it's very clear this
did in fact happen.
I installed mysql, ran it using the default (no arg) safe_mysqld script, and
immediately set the root password (for the machine name and for localhost),
and then added a single user "paul", again setting his password for both
machine name and localhost. I gave him SELECT, INSERT, DELETE, CREATE, DROP,
ALTER, UPDATE privs for a single database, also named "paul" (could this be
related to the bug?), and double-checked that he had no permissions for the
mysql database (all columns set to "N" in user; 2 entries in db specifying
access to Db "paul".
The user set up some PHP (4) scripts to work with his database, and I didn't
do anything further to mysql until a week later he emailed me complaining that
he was suddenly getting permission denied errors from his scripts, and from
his own installation of phpMyAdmin (which I had previously verified was
working fine). I checked in mysql database and saw that the password for
paul@localhost had been removed. Since his scripts were still using the
password, he was being refused. This made a somewhat uneasy, but I
reasoned that perhaps I had erroneously set him up with no password for
localhost, but only for the machine name, and that DNS or identd was
(for no good reason) suddenly resolving his connection host differently. I
reset his password.
A few days later he emailed me again -- same problem. I looked in mysql and
saw that *both* his passwords (identical) had been replaced with the cleartext
versions instead of the encrypted. At this point I figured he was hacking the
system himself, as why would anyone else accidentally set his passwords to
the cleartext version? Yet from talking with him (and given the fact that he
keeps reporting the problem to me as soon as it occurs) I don't think he knows
what is going on.
Unfortunately I hadn't run the server with logging enabled (I had mistakenly
thought this would be a default) so my ability to troubleshoot was hindered.
I did see on both occasions that the filesystem modification times for the
USER.xxx files for the mysql database were shortly before the user reported
the problem. To further add to my confusion, the database he had set up
(again having the same name as his username) contained tables named "users",
and "authdb". He was storing his own passwords for his users and doing MD5
encryption with PHP funtions.
So he has since renamed his tables thinking superstitiously that maybe MySQL
was getting confused at some statement (I am increasingly inclined to believe
him) and I've enabled logging and reset the root password. He remains
the *only* non-root user and I am the *only* one with the root password. The
problem so far has not recurred (it last happened last Thursday).
>Fix:
???
>Submitter-Id: <submitter ID>
>Originator: Jason Boyd
>Organization: Boston University
>MySQL support: none
>Synopsis: User changing his password without permission
>Severity: serious
>Priority: low
>Category: mysql
>Class: sw-bug
>Release: mysql-3.23.37 (Official MySQL binary)
>Environment:
Intel PIII, BU Linux (a RedHat 6.2-derived installation)
System: Linux louis-xiv.bu.edu 2.2.16-3smp #1 SMP Mon Jun 19 19:00:35 EDT 2000 i686
unknown
Architecture: i686
Some paths: /usr/bin/perl /usr/bin/make /usr/bin/gmake /usr/bin/gcc /usr/bin/cc
GCC: Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/specs
gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)
Compilation info: CC='gcc' CFLAGS='-O3 -mpentium ' CXX='gcc' CXXFLAGS='-O3
-mpentium -felide-constructors' LDFLAGS='-static'
LIBC:
lrwxrwxrwx 1 root root 13 Mar 1 09:56 /lib/libc.so.6 -> libc-2.1.3.so
-rwxr-xr-x 1 root root 4101804 Jan 18 11:05 /lib/libc-2.1.3.so
-rw-r--r-- 1 root root 20276140 Jan 18 11:05 /usr/lib/libc.a
-rw-r--r-- 1 root root 178 Jan 18 11:05 /usr/lib/libc.so
lrwxrwxrwx 1 root root 10 Mar 1 10:05 /usr/lib/libc-client.a ->
c-client.a
Configure command: ./configure --prefix=/usr/local/mysql '--with-comment=Official
MySQL binary' --with-extra-charsets=complex --enable-assembler
--with-mysqld-ldflags=-all-static --with-client-ldflags=-all-static --disable-shared
Perl: This is perl, version 5.005_03 built for i386-linux
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
