[debian-mysql] Bug#732306: Bug#732306: mysql-5.5: installation creates database test and sets up insecure database permissions

Rene Engelhard rene at debian.org
Mon Dec 16 15:35:11 UTC 2013


On Mon, Dec 16, 2013 at 04:09:25PM +0100, Salvatore Bonaccorso wrote:
[...]
> allow anonymous access, without a password, from localhost to
> the "test" database and any databases starting with "test_" that
> users might have created after installing mysql-server.
[..]
> MySQL documentation recommends dropping these permissions and
> the "test" database.
> http://dev.mysql.com/doc/refman/5.5/en/default-privileges.html ,
> section "Securing Test Databases".
> 
> mysql-server-5.1 in squeeze didn't setup these permissions and
> didn't create the test database, the debian patches
> 33_scripts__mysql_create_system_tables__no_test.dpatch and
> 41_scripts__mysql_install_db.sh__no_test.dpatch removed the code
> from /usr/bin/mysql_install_db and /usr/share/mysql/mysql_system_tables.sql .
> 
> Please re-add these patches to mysql-server-5.5 and include some code


> in the pre/postinst script to remove these permissions and the
> "test" database on current installations.

I don't think we should do that.

What if people *do* have a real-world test db on some test system? A
DROP DATABASE would then simply be dataloss.
(Never understimate "weird" paths/names (learned that myself the hard way
once)

One could argue about the permission thing, but then again, if it's some
test-system with a test database....

Regards,

Rene



More information about the pkg-mysql-maint mailing list