The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

msql access control (fwd)

To: security@debian.org
Subject: msql access control (fwd)
From: Christian Hudon <S1205299.ber@student.goethe.de>
Date: Tue, 30 Sep 1997 18:07:34 +0200 (MET-DST)
Delivered-to: security@debian.org
Resent-cc: recipient list not shown: ;
Resent-date: 30 Sep 1997 16:07:41 -0000
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"vgzidD.A.QB.KPSM0"@debian>
Resent-sender: debian-private-request@lists.debian.org

Does our msql package follow the recommendations made in this message?

   Christian

---------- Forwarded message ----------
Date: Sat, 27 Sep 1997 21:40:06 +0300
From: "John W. Temples" <john@KUWAIT.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: msql access control

I was reviewing the access control mechanisms in the mSQL database
(http://www.hughes.com.au/) and made the following observations:

1) When doing a "make install" of msql, no msql.acl access control list
file is installed.  When the database server is started without an ACL
file, it prints a warning, and then starts with all databases world
readable and writable.  If the server is on the Internet, the entire
Internet has read/write access to the databases.

2) When an ACL file is used, one form of authentication is by username.
The msql server accepts the username from the client and does no
authentication on it whatsoever.  Thus, if an msql server which used
username access control were accessible from a multiuser host,
unauthorized users on that host could access the database by simply
knowing the login name of an authorized user.

2) The other form of authentication used is hostname.  The msql server
does a lookup on the IP address of the client, but does not
subsequently do a lookup of the resulting hostname to verify it.
Hence, host name authentication is trivially defeated.  This problem
was previously described in an SNI advisory
(ftp://ftp.secnet.com/pub/advisories/SNI-17.MSQL.advisory), and SNI has
made patches available to address this problem (and others) for msql
version 2, but no such patches seem to exist for msql version 1.

Conclusions:  install an msql.acl file; don't use username
authentication; disable remote access (set 'access=local' in msql.acl)
unless you have patched the server to correctly verify the hostnames of
connecting clients; and all users on hosts authorized to connect to the
msql server must be trusted.

--
John W. Temples, III       ||       Providing the first public access Internet
Gulfnet Kuwait             ||            site in the Arabian Gulf region

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Follow-Ups:
- Re: msql access control (fwd)
  - From: joey@finlandia.infodrom.north.de (Martin Schulze)

Prev by Date: Re: [spam] Searching for representatives (fwd)
Next by Date: RE: Security bugfix for Samba (fwd)
Previous by thread: xtetris
Next by thread: Re: msql access control (fwd)
Index(es):
- Date
- Thread