DETAILS: -------- The /etc/init.d/mysql script lists the root password of MySQL database: -"INPUT_DB_PASSWORD=mysql123" -"bin/mysqladmin -uroot -pmysql123 shutdown" The file permission of file /etc/init.d/mysql will allow all users with a login to the NAS server to view the root password for the database. The current permissions are : -rwxrwxr-x 1 root root 1856 Jul 22 10:43 mysql WORKAROUND: ----------- Change the file permissions of /etc/init.d/mysql to limit read/write and execute to the appropriate user (eg. root). STEPS: ------ 1. Login in to NAS server as root; 2. Change file permissions : #chmod 700 /etc/init.d/mysql 3. Verify changes to file permissions : #ls -l /etc/init.d/mysql The file should have the following permissions: -rwx------ 1 root root 1856 Jul 22 10:43 mysql NOTES: ------ NAS versions that run on Windows are not affected. NAS versions, that run on Linux/Solaris and use Oracle/SQL Server as their databases are not affected. NAS versions, that run on Linux/Solaris and use MySQL installed on a host different from the core server are not affected. CONTACT INFORMATION: -------------------- Please contact security-alert AT opsware dot com, if you require additional information. Network Automation System Engineering Opsware, Inc.
