Bug#941134: bacula-director-mysql: Script grant_mysql_privileges always set password XXX_DBPASSWORD_XXX

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#941134: bacula-director-mysql: Script grant_mysql_privileges always set password XXX_DBPASSWORD_XXX

Hostinet
Package: bacula-director-mysql
Version: 9.4.2-2
Severity: normal

Dear Maintainer,

Script /usr/share/bacula-director/grant_mysql_privileges line 11:
db_password=XXX_DBPASSWORD_XXX

This should be:
db_password=${db_password:-XXX_DBPASSWORD_XXX}

or other autogenerated ramdom password.


-- System Information:
Debian Release: 10.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8), LANGUAGE=es_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages bacula-director-mysql depends on:
ii  bacula-common-mysql                         9.4.2-2
ii  dbconfig-mysql                              2.0.11+deb10u1
ii  debconf [debconf-2.0]                       1.5.71
ii  default-mysql-client                        1.0.5
ii  mariadb-client-10.3 [virtual-mysql-client]  1:10.3.17-0+deb10u1

Versions of packages bacula-director-mysql recommends:
ii  default-mysql-server                        1.0.5
ii  mariadb-server-10.3 [virtual-mysql-server]  1:10.3.17-0+deb10u1

Versions of packages bacula-director-mysql suggests:
ii  gawk  1:4.2.1+dfsg-1

-- debconf information:
  bacula-director-mysql/dbconfig-reinstall: false
* bacula-director-mysql/mysql/admin-user: root
  bacula-director-mysql/internal/reconfiguring: false
  bacula-director-mysql/purge: false
* bacula-director-mysql/dbconfig-install: true
  bacula-director-mysql/remote/port:
  bacula-director-mysql/remote/host: localhost
  bacula-director-mysql/upgrade-backup: true
  bacula-director-mysql/missing-db-package-error: abort
  bacula-director-mysql/upgrade-error: abort
  bacula-director-mysql/dbconfig-upgrade: true
  bacula-director-mysql/db/app-user: bacula@localhost
  bacula-director-mysql/database-type: mysql
  bacula-director-mysql/passwords-do-not-match:
  bacula-director-mysql/remove-error: abort
  bacula-director-mysql/mysql/method: Unix socket
  bacula-director-mysql/dbconfig-remove: true
  bacula-director-mysql/install-error: abort
  bacula-director-mysql/db/dbname: bacula
  bacula-director-mysql/remote/newhost:
  bacula-director-mysql/internal/skip-preseed: false

Reply | Threaded
Open this post in threaded view
|

Bug#941134: bacula-director-mysql: Script grant_mysql_privileges always set password XXX_DBPASSWORD_XXX

Sven Hartge-5
On Wed, 25 Sep 2019 14:53:32 +0200 Hostinet <[hidden email]> wrote:

> Script /usr/share/bacula-director/grant_mysql_privileges line 11:
> db_password=XXX_DBPASSWORD_XXX

This script (or any other script /usr/share/bacula-director/) in is
never used by Debian to setup the database or grant MySQL permissions,
so the template password in there is no problem or risk.

The scripts in /usr/share/bacula-director/ serve as an example for the
administrator on how to setup the database manually, if they so choose.
In that case the administrator is expected to edit the scripts to suit
their needs.

On the other hand, if the template password would be automatically
replaced by the password chosen (or autogenerated) during the package
installation, it would be world-readable, creating a security problem.

Grüße,
Sven.


signature.asc (849 bytes) Download Attachment