martin f krafft
2008-Jul-14 09:27 UTC
[Secure-testing-team] Bug#490777: binds to any with bind-address=127.0.0.1 if iface lo is not available
Package: mysql-server-5.0 Version: 5.0.32-7etch5 Severity: critical Tags: security etch I have mysqld configured to bind to 127.0.0.1 (which is the default it seems): sheep# grep ''^bind'' /etc/mysql/my.cnf bind-address= 127.0.0.1 and yet: sheep# netstat -natp | grep mysqld tcp 0 0 92.42.190.29:3306 0.0.0.0:* LISTEN 26443/mysqld It turns out that this is because I cannot actually bring up the lo interface on a vserver: sheep# ifup lo SIOCSIFADDR: Permission denied SIOCSIFFLAGS: Permission denied SIOCSIFFLAGS: Permission denied Failed to bring up lo. Arguably, this is a problem with the vserver, but mysqld should definitely not bind to any as a consequence. Instead, it should refuse to start. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, ''unstable''), (500, ''testing''), (1, ''experimental'') Architecture: amd64 (x86_64) Kernel: Linux 2.6.25-2-amd64 (SMP w/1 CPU core) Locale: LANG=en_GB, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- .''''`. martin f. krafft <madduck at debian.org> : :'' : proud Debian developer, author, administrator, and user `. `''` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature (see http://martin-krafft.net/gpg/) Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080714/94dadf98/attachment.pgp