Juju Charms Collection
mysql package

'mysql' charm exposes mysql-root password

Bug #1040165 reported by Kurt Huwig
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pyjuju
Fix Released
Medium
Unassigned
pyjuju 0.6 "honolulu"
0.5
Fix Released
Medium
Unassigned
pyjuju 0.5.2
juju (Ubuntu)
Fix Released
Undecided
Unassigned
mysql (Juju Charms Collection)
Status tracked in Precise
Oneiric
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned

Bug Description

The 'mysql' charm exposes the mysql-root password within its install hook:

/usr/share/doc/juju/examples/precise/mysql/hooks/install:

echo $PASSWORD >> /var/lib/juju/mysql.passwd

which is readable for others:

drwxr-xr-x 5 root root 4096 Aug 22 11:41 /var/lib/juju/
-rw-r--r-- 1 root root 37 Aug 22 11:41 /var/lib/juju/mysql.passwd

This allows any local user to gain root access to MySQL:

$ mysql -u root mysql
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)

$ mysql -u root -p$(cat /var/lib/juju/mysql.passwd) mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Related branches

lp:~mark-mims/pyjuju/update-mysql-example-charm
Clint Byrum (community): Approve
Diff: 19 lines (+8/-1)
1 file modified
examples/precise/mysql/hooks/install (+8/-1)
lp:ubuntu/precise-security/juju
lp:pyjuju/0.5
Jamie Strandboge (jdstrand)
affects: juju (Ubuntu) → charms
Clint Byrum (clint-fewbar)
affects: charms → mysql (Juju Charms Collection)
Revision history for this message
Kurt Huwig (k-huwig-f) wrote :

The append to the file does also look wrong, as it is used like this in db-relation-joined:

# Get the mysql password that was generated by the install hook
password=`cat /var/lib/juju/mysql.passwd`

Mark Mims (mark-mims)
Changed in mysql (Charms Precise):
status: New → Fix Released
Revision history for this message
Mark Mims (mark-mims) wrote :

Thanks Kurt!

http://jujucharms.com/security-notices/jcsn/jcsn-001

Revision history for this message
Mark Mims (mark-mims) wrote :

also submitting a patch for the juju example charms in trunk

Changed in mysql (Charms Oneiric):
status: New → Fix Released
Revision history for this message
Mark Mims (mark-mims) wrote :

https://code.launchpad.net/~mark-mims/juju/update-mysql-example-charm/+merge/120884

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package juju - 0.5+bzr531-0ubuntu1.3

---------------
juju (0.5+bzr531-0ubuntu1.3) precise-security; urgency=low

  * SECURITY UPDATE: d/p/upstream-543.patch: Disable password authentication
    on LXC containers created in the local provider. (LP: #1016428)
  * SECURITY UPDATE: d/p/upstream-564.patch: Fix example mysql charm to
    not expose root mysql password to all users. (LP: #1040165)
  * SECURITY UPDATE: d/p/upstream-565.patch: Verify charm store hostname
    matches hostname on SSL certificate. (LP: #992447)
 -- Clint Byrum <email address hidden> Thu, 23 Aug 2012 17:12:26 -0700

Changed in juju (Ubuntu):
status: New → Fix Released
Clint Byrum (clint-fewbar)
Changed in juju:
status: New → Fix Committed
visibility: private → public
Clint Byrum (clint-fewbar)
Changed in juju:
milestone: none → 0.6
importance: Undecided → Critical
importance: Critical → Medium
Clint Byrum (clint-fewbar)
Changed in juju:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.