This does seem like a needless security weak point.
For folks who don't live and breath MySQL (like me), here is a procedure
to change the database password:
(in a root shell)
# invoke-rc.d zoneminder stop
# rights='lock tables, alter, select, insert, update, delete'
# zmpass=$(pwgen -1s) # set this variable to the new password
# echo "grant $rights on zm.* to zmuser@localhost identified by
\"$zmpass\";" \
| mysql --defaults-file=/etc/mysql/debian.cnf mysql
# perl -pi -e "s,^(ZM_DB_PASS)=.*\$,\$1=$zmpass," /etc/zm/zm.conf
# invoke-rc.d zoneminder start
As for tightening up the permissions on /etc/zm/zm.conf, that can only
go so far, since ZoneMinder runs as user www-data and needs to be able
to read the file. This works:
# chgrp www-data /etc/zm/zm.conf
# chmod g=r,o= /etc/zm/zm.conf
A compromised Web service can still get the password, but that's better
than allowing it to any local user.
--
Daniel Richard G. || [email protected]
My ASCII-art .sig got a bad case of Times New Roman.
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
