Bug#306877: mysql-server: debian-sys-maint shouldn't have ALL PRIVILEGES
severity 306877 wishlist retitle 306877 README.Debian: clarify use of debian-sys-maint thanks Hello On 2005-04-28 The Anarcat wrote: The debian-sys-maint user is setup in the postinst to have mostly ALL PRIVILEGES, WITH GRANT, even. As I understand it (and as the README.Debian documents), the debian-sys-maint user is mainly used to stop the server as they would require knowledge of the mysql root users password else. That was correct in the past where this user really only had the RELOAD and SHUTDOWN privileges but nowadays it also serves as a more general user for e.g. packages that ask the user if they may create a database during installation and the script that runs when starting the mysql server and does a CHECK TABLES which also requires additional privileges. If we give all privileges, with grant, to the debian-sys-maint, why have such a user at all? Why not simply put the root password there, as there is not a big difference between the two users anyways? But it's very likely that the admin of the machine will change the root password and keep the new one secret to himself! So thanks at least for reporting something that looked like a security problem but as the user really requires those privileges I downgrade it to withlist to remind me to update the description in README.Debian. bye, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#306877: mysql-server: debian-sys-maint shouldn't have ALL PRIVILEGES
Hello On 2005-04-29 sean finney wrote: On Fri, Apr 29, 2005 at 09:36:00AM +0200, Christian Hammers wrote: That was correct in the past where this user really only had the RELOAD and SHUTDOWN privileges but nowadays it also serves as a more general user for e.g. packages that ask the user if they may create a database during installation and the script that runs when starting the mysql server and does a CHECK TABLES which also requires additional privileges. i think after sarge is out we should revist this and see about stripping away those extra privileges. hopefully by then my dbconfig-common project will be catching on and everyone using the debian-sys-maint account for package installation can be pointed at something easier. Using an abstraction layer instead of directly communicating with the mysql admin tools might be a good idea - but, uhm, how does your dbconfig-common package access mysql if not via something like the full privileged debian-sys-maint account? bye, -christian- pgp2W5NkbXP4R.pgp Description: PGP signature
Bug#306877: mysql-server: debian-sys-maint shouldn't have ALL PRIVILEGES
On Fri, Apr 29, 2005 at 02:19:34PM +0200, Christian Hammers wrote: Using an abstraction layer instead of directly communicating with the mysql admin tools might be a good idea - but, uhm, how does your dbconfig-common package access mysql if not via something like the full privileged debian-sys-maint account? it asks the admin for the password :) if you'd like a more detailed description of how it works, you should check out the dbconfig-common page[1]. sean [1] http://people.debian.org/~seanius/policy/dbconfig-common.html -- signature.asc Description: Digital signature
Bug#306877: mysql-server: debian-sys-maint shouldn't have ALL PRIVILEGES
Package: mysql-server Version: 4.0.24-5 Severity: grave Tags: security Justification: user security hole The debian-sys-maint user is setup in the postinst to have mostly ALL PRIVILEGES, WITH GRANT, even. As I understand it (and as the README.Debian documents), the debian-sys-maint user is mainly used to stop the server as they would require knowledge of the mysql root users password else. If we give all privileges, with grant, to the debian-sys-maint, why have such a user at all? Why not simply put the root password there, as there is not a big difference between the two users anyways? If I'm missing something, then it should be documented more clearly in the README.Debian. :) I've done some tests here and for the init.d script, all that is required is RELOAD and SHUTDOWN. Some other privileges might be necessary in other environments, namely replication, but I couldn't test this here by lack of resources. This isn't such a grave security concern, but should be considered as a security problem anyways, because we do not leave only the necessary but allow extra privileges the user doesn't need. Thank you for your hard work on this excellent package. A. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.8-2-k7 Locale: LANG=fr_CA, LC_CTYPE=fr_CA (charmap=ISO-8859-1) Versions of packages mysql-server depends on: ii adduser 3.63Add and remove users and groups ii debconf 1.4.39 Debian configuration management sy ii gawk 1:3.1.4-2 GNU awk, a pattern scanning and pr ii libc62.3.2.ds1-20GNU C Library: Shared libraries an ii libdbi-perl 1.46-6 Perl5 database interface by Tim Bu ii libgcc1 1:3.4.3-12 GCC support library ii libmysqlclient12 4.0.24-5mysql database client library ii libstdc++5 1:3.3.5-12 The GNU Standard C++ Library v3 ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra ii mailx1:8.1.2-0.20040524cvs-4 A simple mail user agent ii mysql-client 4.0.24-5mysql database client binaries ii mysql-common 4.0.24-5mysql database common files (e.g. ii passwd 1:4.0.3-31sarge1change and administer password and ii perl 5.8.4-8 Larry Wall's Practical Extraction ii psmisc 21.5-1 Utilities that use the proc filesy ii zlib1g 1:1.2.2-3 compression library - runtime -- debconf information: mysql-server/skip_networking: false mysql-server/really_downgrade_from_41: false mysql-server/want_chroot: false * mysql-server/start_on_boot: true mysql-server/postrm_remove_databases: false * mysql-server/mysql_install_db_notes: mysql-server/nis_warning: mysql-server/mysql_update_hints1: * mysql-server/postrm_remove_database: false mysql-server/fix_privileges_warning: -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
