We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Debian Maint permissions
-
- Posts: 139
- Joined: Thu Jan 07, 2016 12:01 am
Debian Maint permissions
For all of those that have the Debian-sys-maint. user in their MySql user list, there is a security bug that needs to be addressed:
This user should only have "Reload" privileges. Not ALL. This user is only meant to rotate log files and restore root password in case you forget it.
Why do I say this is security risk? The password for this user is stored as plaintext on the system. Should an attacker gain access to this users password, they will be able to take over the mysql server and potentially the rest of the system, not to mention have access to your complete database.
This user should only have "Reload" privileges. Not ALL. This user is only meant to rotate log files and restore root password in case you forget it.
Why do I say this is security risk? The password for this user is stored as plaintext on the system. Should an attacker gain access to this users password, they will be able to take over the mysql server and potentially the rest of the system, not to mention have access to your complete database.
Re: Debian Maint permissions
Ok, let's add this like a bug - https://bugs.vestacp.com/issues/150