thr3ads.net - Secure testing team - [Secure-testing-team] Bug#510875: mysql-server-5.0: does not ask for a password for `root'' by default [Jan 2009]

If this information is useful, please help other people find it:
Share via:

Twitter
Facebook
Email

Ansgar Burchardt

2009-Jan-05 15:12 UTC

[Secure-testing-team] Bug#510875: mysql-server-5.0: does not ask for a password for `root'' by default

Package: mysql-server-5.0
Version: 5.0.32-7etch8
Severity: grave
Tags: security
Justification: user security hole

Hi,

The question asking for the administrative password has a priority of
`medium''.  Debconf''s default is to ask only questions of at
least
priority `high'' since 1.4.61 (and d-i apparently sets this value by
default even longer).

This results in an empty root password by default.  Every user which
can connect from `localhost'' has then full administrative privileges.
The only thing he has to do is run `mysql -u root''.

The question for the password should at least have priority `high'' (or
even `critical''[1]).

Regards,
Ansgar

[1] Debconf''s own configuration suggests this priority to newbies.

Secure testing team - Jan 2009 - Bug#510875: mysql-server-5.0: does not ask for a password for `root' by default

[Secure-testing-team] Bug#510875: mysql-server-5.0: does not ask for a password for `root'' by default