[debian-mysql] Bug#711600: Insecure creation of the credential file debian.cnf

[vladz]

Package: mysql-server
Version: 5.5.31+dfsg-0+wheezy1
Tags: security

The file "/etc/mysql/debian.cnf", which contains plain text credentials
for the "debian-sys-maint" mysql user, is created in an insecure manner
during the package installation phase.  This can lead a non-privileged
local user to disclose its content and use this special account to
perform administration tasks.

The file is created by the post-installation script:

  $ vim -c "set nu" mysql-5.5-5.5.31+dfsg/debian/mysql-server-5.5.postinst
  [...]
  170     dc=$mysql_cfgdir/debian.cnf;
  [...]
  176         cat /dev/null > $dc
  [...]
  178         echo "[client]" >>$dc
  179         echo "host     = localhost" >>$dc
  180         echo "user     = debian-sys-maint" >>$dc
  181         echo "password = $pass" >>$dc
  [...]
  191     chown 0:0 $dc
  192     chmod 0600 $dc
    
There is a time lapse (between lines 176 and 191) where the file
permissions are 644 (settled by the default umask).  At this time, a
user can open the file with the O_RDONLY flag and disclose its content
even after the chmod is executed at line 192 (yes, the user's file
descriptor won't be affected by this action).

Anyway, I suggest to force a umask value to 077 before this file is
created.

I have a trivial PoC if needed.

Thanks,
vladz.