server icon indicating copy to clipboard operation
server copied to clipboard

Published 20 hours ago verified publisher icon MariaDB

MDEV-28823 Secure mariadb-secure-installation output file with chmod

Open akshatnehra opened this issue 6 months ago • 6 comments
trafficstars

Description

This commit addresses a security issue in the mariadb-secure-installation script where the temporary output file containing SQL commands and potentially password hashes was being created with default permissions (typically world-readable).

The fix involves modifying the prepare() function to:

  1. Create the $output file explicitly using touch before it's used
  2. Apply umask 0077 to restrict access to owner only before file creation

All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.

How can this PR be tested?

  1. Run the original mariadb-secure-installation script and observe file permissions:

    ./mariadb-server/scripts/mysql_secure_installation.sh --socket=/tmp/mysql.sock --basedir=/quick-rebuilds/build
# In another terminal
ls -la .my* | grep -v .mysql_history

    The .my.output.* file will have -rw-r--r-- permissions

  2. With the patched version:

    ./mariadb-server/scripts/mysql_secure_installation.sh --socket=/tmp/mysql.sock --basedir=/quick-rebuilds/build
# In another terminal 
ls -la .my* | grep -v .mysql_history

    The .my.output.* file will have -rw------- permissions

Results from my testing

  1. Before changes

    root@03b5517f4303:/quick-rebuilds# ls -la .my* | grep -v .mysql_history
-rw------- 1 root root  70 Apr 22 16:55 .my.cnf.15643
-rw-r--r-- 1 root root 130 Apr 22 16:55 .my.output.15643
-rw------- 1 root root  32 Apr 22 16:55 .mysql.15643

  2. After Changes

    root@03b5517f4303:/quick-rebuilds# ls -la .my* | grep -v .mysql_history
-rw------- 1 root root  70 Apr 22 17:04 .my.cnf.16290
-rw------- 1 root root 130 Apr 22 17:04 .my.output.16290
-rw------- 1 root root  32 Apr 22 17:04 .mysql.16290

Basing the PR against the correct MariaDB version

  • [x] This is a security fix and the PR is based against `10.6` branch.

PR quality check

  • [x] I have checked the CODING_STANDARDS.md file and my PR conforms to this where appropriate.
  • [x] For any trivial modifications to the PR, I am ok with the reviewer making the changes themselves.

akshatnehra avatar Apr 25 '25 17:04 akshatnehra