Date: Thu, 6 Feb 2020 11:25:07 +0100 From: Matthias Gerstner <mgerstner@...e.de> To: oss-security@...ts.openwall.com Subject: Re: CVE-2019-18901: mariadb: possible symlink attack for the mysql user in the SUSE specific mysql-systemd-helper script Hello Larry, On Wed, Feb 05, 2020 at 11:31:55AM -0500, Larry W. Cashdollar wrote: > That chmod 640 might be interesting if applied to /etc/shadow. > It > could allow some users to read the password hashes. true. Generally it allows to grant groups read permissions on files. I'm not aware of an instance where this directly allows the mysql user to escalate privileges. But it could work when combined with further weaknesses in the system that allow to compromise further user/group accounts. Cheers Matthias Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.