Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-8305

puppetlabs-mysql: mode of $mysql::server::config_file is questionable

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: mysql
    • Environment:

      Oracle Linux 7.5
      puppet --version: 5.5.8
      puppetserver --version: 5.3.5

    • Template:
      MODULES Bug Template
    • Epic Link:
    • Team:
      Modules
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

      Hi folks,

      I was wondering: the mode of $mysql::server::config_file is set to 0644 and $mysql::server::includedir is set to 0755.

      Under normal circumstances, this is not an issue, as there are no credentials in that file.

      It is though, when you use Galera and have your wsrep_sst_* settings in there (especially wsrep_sst_auth). This will result in every user being able to get the State Snapshot Transfer credentials.

      Bottom line: every POSIX user can get all data using the credentials being accessible to every POSIX user.

      EDIT: as a sidenote... setting the mode to o= prevents MariaDB from starting up (or to be precise: it starts up, but cannot read the config file, so it uses default values). This can be mitigated by changing mysql::server::root_group to mysql (in my case, see environment, might be different on your platform). Unfortunately, though, the mode is still hardcoded and the file is readable by everyone.

      So... a possible solution would probably be to create a config option like $mysql::server::config_file_mode.

      Cheers
      Thomas

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            TwizzyDizzy Twizzy Dizzy
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:

                Zendesk Support