Re: Opsware NAS 6.0 reveals MySQL 'root' password
DETAILS:
--------
The /etc/init.d/mysql script lists the root password of MySQL database:
-"INPUT_DB_PASSWORD=mysql123"
-"bin/mysqladmin -uroot -pmysql123 shutdown"
The file permission of file /etc/init.d/mysql will allow all users with a login
to the NAS server to view the root password for the database.
The current permissions are :
-rwxrwxr-x 1 root root 1856 Jul 22 10:43 mysql
WORKAROUND:
-----------
Change the file permissions of /etc/init.d/mysql to limit read/write and
execute to the appropriate user (eg. root).
STEPS:
------
1. Login in to NAS server as root;
2. Change file permissions :
#chmod 700 /etc/init.d/mysql
3. Verify changes to file permissions :
#ls -l /etc/init.d/mysql
The file should have the following permissions:
-rwx------ 1 root root 1856 Jul 22 10:43 mysql
NOTES:
------
NAS versions that run on Windows are not affected.
NAS versions, that run on Linux/Solaris and use
Oracle/SQL Server as their databases are not affected.
NAS versions, that run on Linux/Solaris and use MySQL installed on a host
different from the core server are not affected.
CONTACT INFORMATION:
--------------------
Please contact security-alert AT opsware dot com, if you require additional
information.
Network Automation System Engineering
Opsware, Inc.