[debian-mysql] Bug#732306: mysql-5.5: installation creates database test and sets up insecure database permissions
Salvatore Bonaccorso
carnil at debian.org
Mon Dec 16 15:09:25 UTC 2013
Package: mysql-5.5
Version: 5.5.17-1
Severity: serious
Tags: security
[Opening this as serious, as stable will be fixed trough a
wheezy-security upload, and nees also be addressed for jessie]
Matthias Reichl reported the following issue with the mysql-5.5
package:
----cut---------cut---------cut---------cut---------cut---------cut-----
mysql-server-5.5 ships with the upstream mysql_install_db script
which creates a database "test" and sets up permissions that
allow anonymous access, without a password, from localhost to
the "test" database and any databases starting with "test_" that
users might have created after installing mysql-server.
mysql> select Host, User, Db from mysql.db;
+------+------+---------+
| Host | User | Db |
+------+------+---------+
| % | | test |
| % | | test\_% |
+------+------+---------+
MySQL documentation recommends dropping these permissions and
the "test" database.
http://dev.mysql.com/doc/refman/5.5/en/default-privileges.html ,
section "Securing Test Databases".
mysql-server-5.1 in squeeze didn't setup these permissions and
didn't create the test database, the debian patches
33_scripts__mysql_create_system_tables__no_test.dpatch and
41_scripts__mysql_install_db.sh__no_test.dpatch removed the code
from /usr/bin/mysql_install_db and /usr/share/mysql/mysql_system_tables.sql .
Please re-add these patches to mysql-server-5.5 and include some code
in the pre/postinst script to remove these permissions and the
"test" database on current installations.
----cut---------cut---------cut---------cut---------cut---------cut-----
Regards,
Salvatore
More information about the pkg-mysql-maint
mailing list