[Pkg-nagios-devel] Bug#311695: Rather difficult to reproduce
Andres Salomon
Andres Salomon <dilinger@debian.org>, 311695@bugs.debian.org
Fri, 03 Jun 2005 09:48:35 -0400
On Thu, 2005-06-02 at 22:29 -0700, Steve Langasek wrote:
> severity 311695 important
> tags 311695 =
> thanks
>
> On Thu, Jun 02, 2005 at 09:25:03PM -0700, Don Armstrong wrote:
>
> > On Fri, 03 Jun 2005, Andres Salomon wrote:
> > > Nope; nagios's resource.cfg was totally unconfigured. What I suspect
> > > (I can tell you for sure tomorrow, when I'm at work) is that one of
> > > the default mysql users (the '' user) was not removed; so, nagios
> > > could connect with user '', and no password. Just doing a fresh
> > > mysql-server install and a nagios-mysql install gets me:
>
> > > Jun 2 23:56:10 spiral nagios: Error: Could not lock status data tables
> > > in database ''
> > > Jun 2 23:56:40 spiral last message repeated 2 times
> > > Jun 2 23:57:40 spiral last message repeated 4 times
>
> > > Same type of error, though not nearly as frequently.
>
> > You couldn't get this unless you allow a blank user to connect to
> > mysql, which isn't the default configuration of mysql-server.
>
> > > Only if you've modified the mysql.user table to not accept a blank user.
>
> > By default, the only users are 'root' and 'debian-sys-maint'.
>
> Based on this, I believe the bug should be downgraded to 'important'; it's
> clearly not a security bug, and it's quite a stretch to suggest that this
> bug breaks the whole system or renders the package unusable or mostly so.
Rather, I meant the root user w/ no password (it was late last night).
With a completely unconfigured mysql-server and completely unconfigured
nagios-mysql, the above was what I was getting.
I still think it's RC, however.
Since there's a fix for this, I'm not going to try to reproduce it on
the actual machine (which is running our BTS and a few other web
services that I'd rather not break).