Create a new db user instead of overwriting the root user (BC-SECURITY#562)

* Create a new db user instead of overwriting the root user

* fix a couple other issues

* use root password for github action mysql

* attempt mysql root password twice

Author: vinnybod

.dockerignore

@@ -1,5 +1,5 @@
 # Git
-.git
+**.git
 .gitignore
 
 # CI

.github/docker-compose.yml

@@ -20,7 +20,8 @@ services:
     image: mysql:8.0
     restart: always
     environment:
-      MYSQL_ROOT_PASSWORD: 'root'
+      MYSQL_USER: 'empire_user'
+      MYSQL_PASSWORD: 'empire_password'
       MYSQL_DATABASE: test_empire
     volumes:
      - db:/var/lib/mysql

.github/workflows/dockerimage.yml

@@ -16,10 +16,11 @@ jobs:
         with:
           submodules: 'recursive'
       - name: Publish Docker
-        uses: elgohr/Publish-Docker-Github-Action@2.9
+        uses: elgohr/Publish-Docker-Github-Action@v5
         with:
           name: bcsecurity/empire
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
           dockerfile: Dockerfile
-          tag_names: true
+          default_branch: main
+          tag_names: true

.github/workflows/lint-and-test.yml

@@ -53,6 +53,9 @@ jobs:
       - name: Set up MySQL
         run: |
           sudo systemctl start mysql
+          mysql -u root -proot -e "CREATE USER IF NOT EXISTS 'empire_user'@'localhost' IDENTIFIED BY 'empire_password';" || true
+          mysql -u root -proot -e "GRANT ALL PRIVILEGES ON *.* TO 'empire_user'@'localhost' WITH GRANT OPTION;" || true
+          mysql -u root -proot -e "FLUSH PRIVILEGES;" || true
       - name: Install dependencies
         run: |
           poetry env use ${{ matrix.python-version }}

CHANGELOG.md

@@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 -   Fix module error in PSRansom (@Cx01N)
+-   Update the install script to set up a new db user instead of overwriting the root user (@Vinnybod)
+-   Update the Starkiller syncer to skip updating if not in a git repo (@Vinnybod)
+-   Update the Docker CI action to publish latest on 'main' branch (@Vinnybod)
 -   Fix install of Poetry for Debian based systems (@Vinnybod)
 
 ## [5.0.3] - 2023-02-20

empire/server/api/app.py

@@ -3,6 +3,7 @@
 import os
 from datetime import datetime
 from json import JSONEncoder
+from pathlib import Path
 
 import socketio
 import uvicorn
@@ -47,7 +48,9 @@ def load_starkiller(v2App):
     starkiller_submodule_dir = "empire/server/api/v2/starkiller"
     starkiller_temp_dir = "empire/server/api/v2/starkiller-temp"
 
-    if empire_config.starkiller.auto_update:
+    if (
+        Path(starkiller_submodule_dir) / ".git"
+    ).exists() and empire_config.starkiller.auto_update:
         sync_starkiller(empire_config.dict())
 
     v2App.mount(

empire/server/config.yaml

@@ -3,8 +3,8 @@ database:
   use: mysql
   mysql:
     url: localhost:3306
-    username: root
-    password: root
+    username: empire_user
+    password: empire_password
     database_name: empire
   sqlite:
     location: empire/server/data/empire.db

empire/server/core/db/base.py

@@ -34,7 +34,8 @@ def try_create_engine(engine_url: str, *args, **kwargs) -> Engine:
     try:
         with engine.connect():
             pass
-    except OperationalError:
+    except OperationalError as e:
+        log.error(e, exc_info=True)
         log.error(f"Failed connecting to database using {engine_url}")
         log.error("Perhaps the MySQL service is not running.")
         log.error("Try executing: sudo systemctl start mysql")

empire/test/test_server_config.yaml

@@ -3,8 +3,8 @@ database:
   use: sqlite
   mysql:
     url: localhost:3306
-    username: root
-    password: root
+    username: empire_user
+    password: empire_password
     database_name: test_empire
   sqlite:
     location: empire/test/test_empire.db

setup/install.sh

@@ -55,8 +55,6 @@ function install_mysql() {
   # https://imsavva.com/silent-installation-mysql-5-7-on-ubuntu/
   # http://www.microhowto.info/howto/perform_an_unattended_installation_of_a_debian_package.html
   echo mysql-apt-config mysql-apt-config/enable-repo select mysql-8.0 | sudo debconf-set-selections
-  echo mysql-community-server mysql-community-server/root-pass password "root" | sudo debconf-set-selections
-  echo mysql-community-server mysql-community-server/re-root-pass password "root" | sudo debconf-set-selections
   echo mysql-community-server mysql-server/default-auth-override select "Use Strong Password Encryption (RECOMMENDED)" | sudo debconf-set-selections
 
   if [ "$OS_NAME" == "DEBIAN" ]; then
@@ -77,6 +75,21 @@ function install_mysql() {
   echo -e "\x1b[1;34m[*] Starting MySQL\x1b[0m"
 }
 
+function start_mysql() {
+  sudo systemctl start mysql.service || true # will fail in a docker image
+
+  # Add the default empire user to the mysql database
+  mysql -u root -e "CREATE USER IF NOT EXISTS 'empire_user'@'localhost' IDENTIFIED BY 'empire_password';" || true
+  mysql -u root -e "GRANT ALL PRIVILEGES ON *.* TO 'empire_user'@'localhost' WITH GRANT OPTION;" || true
+  mysql -u root -e "FLUSH PRIVILEGES;" || true
+
+  # Some OS have a root password set by default. We could probably
+  # be more smart about this, but we just try both.
+  mysql -u root -proot -e "CREATE USER IF NOT EXISTS 'empire_user'@'localhost' IDENTIFIED BY 'empire_password';" || true
+  mysql -u root -proot -e "GRANT ALL PRIVILEGES ON *.* TO 'empire_user'@'localhost' WITH GRANT OPTION;" || true
+  mysql -u root -proot -e "FLUSH PRIVILEGES;" || true
+}
+
 function install_xar() {
   # xar-1.6.1 has an incompatibility with libssl 1.1.x that is patched here
   wget https://github.com/BC-SECURITY/xar/archive/xar-1.6.1-patch.tar.gz
@@ -148,8 +161,8 @@ install_powershell
 if ! command_exists mysql; then
   install_mysql
 fi
-sudo systemctl start mysql.service || true # will fail in a docker image
-mysql -u root -e "SET PASSWORD FOR 'root'@'localhost' = PASSWORD('root');" || true # Set root password to root if its blank
+
+start_mysql
 
 if [ "$ASSUME_YES" == "1" ] ;then
   answer="Y"