[debian-mysql] Bug#513262: mysql-server-5.0: Leaves password in debconf database
Yohann Lepage
yohannlepage at gmail.com
Tue Jan 27 18:09:49 UTC 2009
Package: mysql-server-5.0
Version: 5.0.51a-21
Severity: normal
If you look at /var/cache/debconf/passwords.dat, you'll find a copy of the password in there (just root_password_again). While the file is only readable by root, this is an unnecessary way to leak the password.
Best practice for password prompting with debconf is to call db_reset to clear the password out of the database as soon as possible after you use it.
This bug was probably introduced by the patch #471887.
For example :
debian:~# head -n 11 /var/cache/debconf/passwords.dat
Name: mysql-server/root_password
Template: mysql-server/root_password
Value:
Owners: mysql-server-5.0
Flags: seen
Name: mysql-server/root_password_again
Template: mysql-server/root_password_again
Value: bonjour
Owners: mysql-server-5.0
Flags: seen
debian:~# debconf-get-selections |head -n 6
# for internal use
passwd passwd/root-password-crypted password
# for internal use
passwd passwd/user-password-crypted password
# Confirmation du mot de passe du superutilisateur de MySQL :
mysql-server-5.0 mysql-server/root_password_again password bonjour
-- System Information:
Debian Release: 5.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.18-6-686 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages mysql-server-5.0 depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libdbi-perl 1.605-1 Perl5 database interface by Tim Bu
ii libgcc1 1:4.3.2-1.1 GCC support library
ii libmysqlclient15off 5.0.51a-21 MySQL database client library
ii libncurses5 5.7+20081213-1 shared libraries for terminal hand
ii libreadline5 5.2-3 GNU readline and history libraries
ii libstdc++6 4.3.2-1.1 The GNU Standard C++ Library v3
ii libwrap0 7.6.q-16 Wietse Venema's TCP wrappers libra
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii mysql-client-5.0 5.0.51a-21 MySQL database client binaries
ii mysql-common 5.0.51a-21 MySQL database common files
ii passwd 1:4.1.1-6 change and administer password and
ii perl 5.10.0-19 Larry Wall's Practical Extraction
ii psmisc 22.6-1 Utilities that use the proc filesy
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages mysql-server-5.0 recommends:
ii bsd-mailx [mailx] 8.1.2-0.20071201cvs-3 A simple mail user agent
ii libhtml-template-p 2.9-1 HTML::Template : A module for usin
ii mailx 1:20071201-3 Transitional package for mailx ren
Versions of packages mysql-server-5.0 suggests:
pn tinyca <none> (no description available)
-- debconf information:
* mysql-server/root_password_again: (password omitted)
* mysql-server/root_password: (password omitted)
mysql-server-5.0/really_downgrade: false
* mysql-server-5.0/need_sarge_compat: false
mysql-server-5.0/start_on_boot: true
mysql-server/error_setting_password:
mysql-server-5.0/nis_warning:
mysql-server-5.0/postrm_remove_databases: false
mysql-server-5.0/need_sarge_compat_done: true
* mysql-server/password_mismatch:
More information about the pkg-mysql-maint
mailing list