Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

[dev.icinga.com #2917] possible vulnerability: icinga mysql db creation script grants access to all dbs #1049

Closed
icinga-migration opened this Issue Jul 30, 2012 · 2 comments

Comments

Projects
None yet
1 participant
Member

icinga-migration commented Jul 30, 2012

This issue has been migrated from Redmine: https://dev.icinga.com/issues/2917

Created by mfriedrich on 2012-07-30 18:06:26 +00:00

Assignee: mfriedrich
Status: Resolved (closed on 2012-07-30 20:21:55 +00:00)
Target Version: 1.8
Last Update: 2014-12-08 14:35:59 +00:00 (in Redmine)

Icinga Version: 1.10.0
OS Version: any

the reason why i f*cking hate such scripts, as they create bugs and exploits nobody wants to see or have.

if i could, i would just throw that directly out of git where it should have never landed without proper review.

http://bugzillafiles.novell.org/attachment.cgi?id=500428

Tim Hardeck 2012-06-15 17:09:11 UTC
Icinga is shipped with db creation scripts which are available in my package
under /usr/bin/icinga-create_db.sh .

The mysql script granted access to all dbs for the icinga user and as it turns
out these scripts are not really supported by upstream.
The issue was also present in the official Icinga documentation.

I have created a patch to fix the script and uploaded it as a branch against
openSUSE12.1:
https://build.opensuse.org/package/show?package=icinga&project=home%3Athardeck%3Abranches%3AopenSUSE%3A12.1%3AUpdate

I have also updated the devel project Icinga.
The only missing part would be Factory but I don't want to push the current
Icinga because the directory structure was changed and I am also planning to
update some scripts.

Is it Ok this way or are additional steps needed?
[reply] [-] Comment 1 Marcus Meissner 2012-07-30 12:42:03 UTC
acknowledged by upstream only as doc commits for now:

https://git.icinga.org/?p=icinga-doc.git;a=commitdiff;h=619a08ca1178144b8a3a5caafff32a2d3918edab


https://git.icinga.org/?p=icinga-core.git;a=commitdiff;h=712813d3118a5b9e5a496179cab81dbe91f69d63
[reply] [-] Comment 2 Marcus Meissner 2012-07-30 12:59:38 UTC
Created an attachment (id=500428) [details]
icinga-fix-create_mysqldb.patch

patch done by tim

Attachments

Changesets

2012-07-30 18:08:57 +00:00 by mfriedrich 51e36aa

possible vulnerability: icinga mysql db creation script grants access to all dbs #2917

fixes #2917

2012-07-30 18:09:50 +00:00 by mfriedrich dcd45fb

possible vulnerability: icinga mysql db creation script grants access to all dbs #2917

fixes #2917

2012-07-30 18:10:25 +00:00 by mfriedrich 29fc8ae

possible vulnerability: icinga mysql db creation script grants access to all dbs #2917

fixes #2917

Relations:

Member

icinga-migration commented Jul 30, 2012

Updated by mfriedrich on 2012-07-30 20:21:55 +00:00

  • Status changed from Assigned to Resolved
  • Done % changed from 0 to 100

Applied in changeset 29fc8ae.

Member

icinga-migration commented Dec 8, 2014

Updated by mfriedrich on 2014-12-08 14:35:59 +00:00

  • Project changed from 18 to Core, Classic UI, IDOUtils
  • Category changed from 105 to IDOUtils
  • Icinga Version set to 1
  • OS Version set to any

@icinga-migration icinga-migration added this to the 1.8 milestone Jan 17, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment