Re: Opsware NAS 6.0 reveals MySQL 'root' password

[security-alert () opsware com]

DETAILS:
--------
The /etc/init.d/mysql script lists the root password of MySQL database:
 
-"INPUT_DB_PASSWORD=mysql123"
 -"bin/mysqladmin -uroot -pmysql123 shutdown"
 
The file permission of file /etc/init.d/mysql will allow all users with a login to the NAS server  to view the root 
password for the database.

The current permissions are :
-rwxrwxr-x    1 root     root         1856 Jul 22 10:43 mysql

WORKAROUND:
-----------
Change the file permissions of /etc/init.d/mysql to limit  read/write and execute to the  appropriate user (eg. root).

STEPS:
------
1. Login in to NAS server as root;

2. Change file permissions :
#chmod 700 /etc/init.d/mysql

3. Verify changes to file permissions :
#ls -l /etc/init.d/mysql
 
The file should have the following permissions:

-rwx------    1 root     root         1856 Jul 22 10:43 mysql

NOTES:
------
NAS versions that run on Windows are not affected.

NAS versions, that run on Linux/Solaris and use 
Oracle/SQL Server as their databases are not affected.

NAS versions, that run on Linux/Solaris and use MySQL installed on a host different from the core server are not 
affected.

CONTACT INFORMATION:
--------------------
Please contact security-alert AT opsware dot com,  if you require additional information.

Network Automation System Engineering
Opsware, Inc.