[debian-mysql] Bug#732306: Bug#732306: mysql-5.5: installation creates database test and sets up insecure database permissions

Salvatore Bonaccorso carnil at debian.org
Mon Dec 16 15:42:20 UTC 2013


Hi Rene,

On Mon, Dec 16, 2013 at 04:35:11PM +0100, Rene Engelhard wrote:
> On Mon, Dec 16, 2013 at 04:09:25PM +0100, Salvatore Bonaccorso wrote:
> [...]
> > allow anonymous access, without a password, from localhost to
> > the "test" database and any databases starting with "test_" that
> > users might have created after installing mysql-server.
> [..]
> > MySQL documentation recommends dropping these permissions and
> > the "test" database.
> > http://dev.mysql.com/doc/refman/5.5/en/default-privileges.html ,
> > section "Securing Test Databases".
> > 
> > mysql-server-5.1 in squeeze didn't setup these permissions and
> > didn't create the test database, the debian patches
> > 33_scripts__mysql_create_system_tables__no_test.dpatch and
> > 41_scripts__mysql_install_db.sh__no_test.dpatch removed the code
> > from /usr/bin/mysql_install_db and /usr/share/mysql/mysql_system_tables.sql .
> > 
> > Please re-add these patches to mysql-server-5.5 and include some code
> 
> 
> > in the pre/postinst script to remove these permissions and the
> > "test" database on current installations.
> 
> I don't think we should do that.
> 
> What if people *do* have a real-world test db on some test system? A
> DROP DATABASE would then simply be dataloss.
> (Never understimate "weird" paths/names (learned that myself the hard way
> once)
> 
> One could argue about the permission thing, but then again, if it's some
> test-system with a test database....

Indeed, this will not be done, apologies for having that in the
bugreport. In de advisory I will write:

> Existing databases and permissions are not touched. Please refer to
> the NEWS file provided with this update for further information.

So the update will not touch existing permissions and databases.

Regards,
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/attachments/20131216/8fa3c369/attachment.sig>


More information about the pkg-mysql-maint mailing list