[dev.icinga.com #2917] possible vulnerability: icinga mysql db creation script grants access to all dbs

[icinga-migration]

This issue has been migrated from Redmine: https://dev.icinga.com/issues/2917

Created by mfriedrich on 2012-07-30 18:06:26 +00:00

Assignee: mfriedrich
Status: Resolved (closed on 2012-07-30 20:21:55 +00:00)
Target Version: 1.8
Last Update: 2014-12-08 14:35:59 +00:00 (in Redmine)

Icinga Version: 1.10.0
OS Version: any

---

the reason why i f*cking hate such scripts, as they create bugs and exploits nobody wants to see or have.

if i could, i would just throw that directly out of git where it should have never landed without proper review.

http://bugzillafiles.novell.org/attachment.cgi?id=500428

Tim Hardeck 2012-06-15 17:09:11 UTC
Icinga is shipped with db creation scripts which are available in my package
under /usr/bin/icinga-create_db.sh .

The mysql script granted access to all dbs for the icinga user and as it turns
out these scripts are not really supported by upstream.
The issue was also present in the official Icinga documentation.

I have created a patch to fix the script and uploaded it as a branch against
openSUSE12.1:
https://build.opensuse.org/package/show?package=icinga&project=home%3Athardeck%3Abranches%3AopenSUSE%3A12.1%3AUpdate

I have also updated the devel project Icinga.
The only missing part would be Factory but I don't want to push the current
Icinga because the directory structure was changed and I am also planning to
update some scripts.

Is it Ok this way or are additional steps needed?
[reply] [-] Comment 1 Marcus Meissner 2012-07-30 12:42:03 UTC
acknowledged by upstream only as doc commits for now:

https://git.icinga.org/?p=icinga-doc.git;a=commitdiff;h=619a08ca1178144b8a3a5caafff32a2d3918edab


https://git.icinga.org/?p=icinga-core.git;a=commitdiff;h=712813d3118a5b9e5a496179cab81dbe91f69d63
[reply] [-] Comment 2 Marcus Meissner 2012-07-30 12:59:38 UTC
Created an attachment (id=500428) [details]
icinga-fix-create_mysqldb.patch

patch done by tim

Attachments

• mysqldb_create.sh_fix.diff mfriedrich - 2012-07-30 18:06:26 +00:00

Changesets

2012-07-30 18:08:57 +00:00 by mfriedrich 51e36aa

possible vulnerability: icinga mysql db creation script grants access to all dbs #2917

fixes #2917

2012-07-30 18:09:50 +00:00 by mfriedrich dcd45fb

possible vulnerability: icinga mysql db creation script grants access to all dbs #2917

fixes #2917

2012-07-30 18:10:25 +00:00 by mfriedrich 29fc8ae

possible vulnerability: icinga mysql db creation script grants access to all dbs #2917

fixes #2917

---

Relations:

• relates #2917

[icinga-migration]

Updated by mfriedrich on 2012-07-30 20:21:55 +00:00

• Status changed from Assigned to Resolved
• Done % changed from 0 to 100

Applied in changeset 29fc8ae.

[icinga-migration]

Updated by mfriedrich on 2014-12-08 14:35:59 +00:00

• Project changed from 18 to Core, Classic UI, IDOUtils
• Category changed from 105 to IDOUtils
• Icinga Version set to 1
• OS Version set to any