#546 A security hall on afp.conf, when MySQL is CNID backend

open
nobody
1
2014-01-21
2014-01-17
Oichinokata
No

To use MySQL as CNID backend, afp.conf is written as follows.

[Global]
cnid mysql host = localhost
cnid mysql user = <MySQL_user>
cnid mysql pw = <MySQL_password>
cnid mysql db = <MySQL_database_name>

[afp volume]
path = /exports/netatalk
cnid scheme = mysql

afp.conf contains a clear text password for MySQL.
I'd like to prevent the password from non-root users, so I executed "chmod 600 afp.conf".
However, it does not work well.
afpd will run as user's ID when an user connects from OS X, so afpd cannot read afp.conf.

Of course, when afp.conf is 644, it works well.

I think it is a security hall on afp.conf, when MySQL is CNID backend.

A sample patch is attached.

1 Attachments

Discussion

  • Oichinokata

    Oichinokata - 2014-01-17

    Sorry, sample of afp.conf was corrupted. Therefore, re-send it.

    [Global]
    cnid mysql host = localhost
    cnid mysql user = {MySQL_user}
    cnid mysql pw = {MySQL_password}
    cnid mysql db = {MySQL_database_name}

    [afp volume]
    path = /exports/netatalk
    cnid scheme = mysql

     
  • Ralph Böhme

    Ralph Böhme - 2014-01-21

    This seems to be missing a become_root() around

        fd = open(obj->options.configfile, O_RDONLY);
    

    on line 1399 in the same file.

     

Log in to post a comment.