[LON-CAPA-admin] Two significant MySQL security holes

Sun Sep 22 21:47:09 EDT 2002

http://bugs.lon-capa.org/show_bug.cgi?id=809

Dear All:

There are two significant (though not fatal) MySQL security holes on
most all existing LON-CAPA servers, both RedHat 6.* and RedHat 7.*.

I will first describe the fixes, then the problem, and then
(since my e-mail messages must always be long) an editorial.
The fixes have been inserted into all of the development source code
(though not yet the stable release).

FIXES

Fix #1 - Secure the MySQL socket with file permissions.

    As root, run these commands:
         chown apache2:apache2 /var/lib/mysql/mysql.sock
         chmod a-rwx,u+rwx /var/lib/mysql/mysql.sock

Fix #2 - Revoke privileges to the MySQL 'user' table for user=www.

         mysql -u root -p
         mysql> REVOKE ALL PRIVILEGES ON *.* FROM www at localhost;
         mysql> GRANT ALL PRIVILEGES ON loncapa.* to www at localhost;

PROBLEM

IF a user can log into your LON-CAPA server as a regular linux user,
THEN that user can obtain root access.

Since virtually all LON-CAPA server linux users are instructors
or other people in positions of responsibility, I therefore assume that
the current set of linux account LON-CAPA users has not been engaging
in malicious behavior.

Also, none of the data inside the MySQL database on a LON-CAPA server
is authoritative.  Rather, it is continually refreshed from data files
(on the filesystem of course).

Thus the security holes are significant, though not "insanely" severe.

The origin of the problem:
One could argue that placing a plain-text password 'localhostkey'
inside loncapa_apache.conf, is not good.

However, the current design is based on the axiom that:

"if a process is www, it does not have to reauthenticate itself as a
 process owned by www"

If you want to rewrite the software to provide a better, stabler
AND long-term solution, please do.  But I think we should wait for
MySQL 4.* as described below--so we can preserve the above axiom and avoid
impacting the installation, upgrade, configuration, and DBI-using perl
modules.

EDITORIAL

Who's to blame for this?! (At a university, we are SMART enough to
ALWAYS identify somebody.)  The software programmers are totally to blame for
this, specifically myself!  However, I am just a gracious volunteer.  So
unfortunately I cannot be fired.  We do, however, need to think of
adequate punishments for volunteers....

Back to the goals.

A long-term fix could be based on the fact that MySQL 4.* will support
"standalone-application-mode" in addition to client-server mode.
So, rather than secure a socket, it would be more sensible to have
MySQL as a standalone, www-owned application (since we really
do not want to manage an unused client-server path and completely
different separate user-authentication scheme).  However, MySQL 4.* is not
yet released for RedHat 7.*.  I assume it will come out with RedHat 8.*.

http://bugs.lon-capa.org/show_bug.cgi?id=808

Finally, a reminder that the LON-CAPA policy is to be open about security
issues (crackers be darned).  Thus, this cracker-recipe e-mail is available
to the whole world (though, regarding e-mail, I have been experimenting with
a GPG-email-circuit between sysadmin's, but that's just R&D).

The fixes here are easy and simple.  Do them.

Regards,
Scott

-- 
Scott Harrison, sharrison at users.sourceforge.net