Bug #26007 Config files containing keystore passwords are world readable
Submitted: 1 Feb 2007 14:08 Modified: 21 Feb 2007 14:38
Reporter: Mark Leith Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Enterprise Monitor: Configuration Severity:S2 (Serious)
Version: OS:
Assigned to: BitRock Merlin CPU Architecture:Any

[1 Feb 2007 14:08] Mark Leith 
Description:
-bash-3.00$ pwd
/opt/mysql/network/monitoring/apache-tomcat/conf
-bash-3.00$ ll
total 116
drwxr-xr-x  3 root root  4096 Jan 23 13:11 Catalina
-rw-------  1 root root  7455 Sep 12 17:12 catalina.policy
-rw-------  1 root root  3114 Sep 12 17:12 catalina.properties
-rw-------  1 root root   330 Sep 12 17:12 context.xml
-rw-------  1 root root  2824 Sep 12 17:12 logging.properties
-rw-r--r--  1 root root   236 Jan 23 13:13 merlin.xml
-rw-r--r--  1 root root  1383 Jan 23 07:13 myKeystore
-rw-------  1 root root   851 Sep 12 17:12 server-minimal.xml
-rw-r--r--  1 root root 19470 Jan 23 13:12 server.xml
-rw-r--r--  1 root root   310 Jan 23 13:13 tomcat-users.xml
-rw-------  1 root root 49382 Sep 12 17:12 web.xml

-bash-3.00$ grep -irn pass server.xml 
51:         and responses are returned.  Each Connector passes requests on to the
65:           with a password value of "changeit" for both the certificate and
102:               keystorePass="mysqlnetwork"/>
121:         analyzes the HTTP headers included with the request, and passes them
170:          connectionURL="jdbc:mysql://127.0.0.1:13306/merlin?user=service_manager&password=mysql"
171:              userTable="users" userNameCol="user_name" userCredCol="user_pass"
179:         connectionName="scott" connectionPassword="tiger"
180:              userTable="users" userNameCol="user_name" userCredCol="user_pass"
188:              userTable="users" userNameCol="user_name" userCredCol="user_pass"
-bash-3.00$ whoami
mleith

How to repeat:
See above

Suggested fix:
Set all files within this directory to 600, or not world readable
[14 Feb 2007 13:30] BitRock Merlin 
Patch sent to Keith
[21 Feb 2007 14:38] Mark Leith 
Hi Bitrock,

I'm closing this now (nothing *serious*) is world readable, however the tomcat-users.xml file is still world readable - so this should still be fixed at some point.

[markleith@medusa:~/mysql/network/monitoring/apache-tomcat/conf] $ ll
total 216
drwx------   3 markleit  markleit    102 Feb 21 14:20 Catalina
-rw-------   1 markleit  markleit   7455 Sep 12 16:12 catalina.policy
-rw-------   1 markleit  markleit   3114 Sep 12 16:12 catalina.properties
-rw-------   1 markleit  markleit    330 Sep 12 16:12 context.xml
-rw-------   1 markleit  markleit   2824 Sep 12 16:12 logging.properties
-rw-------   1 markleit  markleit    236 Feb 21 14:22 merlin.xml
-rw-------   1 markleit  markleit   1393 Feb 21 06:40 myKeystore
-rw-------   1 markleit  markleit    851 Sep 12 16:12 server-minimal.xml
-rw-------   1 markleit  markleit  19470 Feb 21 14:21 server.xml
-rw-r--r--   1 markleit  markleit    310 Feb 21 14:22 tomcat-users.xml
-rw-------   1 markleit  markleit  49382 Sep 12 16:12 web.xml

Verified "fixed" on 1.1.0.4785