Wednesday, April 25, 2007

MySQL security in Debian

Currently there is a problem with the MySQL default install in Debian/Etch (and probably other distributions too). It sets up "root" with dba access with no password by default, the following mysql command will give a list of all MySQL accounts with Grant_priv access (one of the capabilities that gives great access to the database server) and shows their hashed password (as a matter of procedure I truncated the hash for my debian-sys-maint account). As you can see the "root" and "debian-sys-maint" accounts have such access. The debian-sys-maint account is used for Debian package management tools and it's password is stored in the /etc/mysql/debian.cnf file.

$ echo "select Host,User,Password from user where Grant_priv='y'" | mysql -u root mysql
Host User Password
localhost root
aeon root
localhost debian-sys-maint *882F90515FCEE65506CBFCD7
It seems likely that most people who have installed MySQL won't realise this problem and will continue to run their machine in that manner, this is a serious issue for multi-user machines. There is currently Debian bug #418672 about this issue. In my tests this issue affects Etch machines as well as machines running Unstable.


Alex said...

I think that at least a portion of the risk in this case is mitigated by the fact that the default Debian install of MySQL disables network access to the database. While anyone logged in as root can immediatelly access the database from the local console, they would have to have access to the local machine in the first place. And really, that's the responsibily of the sysadmin for the system. The Debian package already provides all reasonable protections by ensuring that no remote user can connect to MySQL.

etbe said...

The root user which has no password is only a local user, so even when you enable network access it only applies to local connections.

But Linux IS a multi-user OS, local connections should not be trusted!