[8852] in bugtraq
mysql: mysqld creates world readable logs..
daemon@ATHENA.MIT.EDU (Michael Widenius)
Sun Dec 27 15:50:22 1998
Date: Sun, 27 Dec 1998 20:10:33 +0200
Reply-To: monty@analytikerna.se
From: Michael Widenius <monty@MONTY.PP.SCI.FI>
X-To: Mike Uttech <mike-uttech@Usinternet.com>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199812262131.WAA04706@analytik.analytikerna.se>
>>>>> "Mike" == Mike Uttech <mike-uttech@Usinternet.com> writes:
Mike> On three systems that we have looked at, mysqld creates a world readable
Mike> log file that contains the passwords for the users if they were INSERT'd
Mike> into the user database. If you chmod the log files to 600, it will keep
Mike> them at 600 even if you restart mysqld. If you remove the logfile, then
Mike> restart mysqld it will recreate the logfile with 644.
Mike> [zipoff data]# cat *.log | grep PASSWORD
Mike> 981225 22:50:58 371 Query INSERT INTO user (host,user,password)
Mike> VALUES('localhost','zipoff',PASSWORD('th1si5acrypt1cpa55w0rd'))
Hi!
This is a known misfeature in MySQL 3.21; This if fixed in MySQL 3.22
Regards,
Monty
