MDEV-28823 Secure mariadb-secure-installation output file with chmod

[akshatnehra]

Description

This commit addresses a security issue in the mariadb-secure-installation script where the temporary output file containing SQL commands and potentially password hashes was being created with default permissions (typically world-readable).

The fix involves modifying the prepare() function to:

1. Create the $output file explicitly using touch before it's used
2. Apply chmod 600 permissions to restrict access to owner only
3. Maintain consistency with how $config and $command files are already handled

All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.

How can this PR be tested?

1. Run the original mariadb-secure-installation script and observe file permissions:

   ./build/scripts/mariadb-secure-installation --socket=/tmp/mysql.sock
   # In another terminal
   ls -la .my* | grep -v .mysql_history

   The .my.output.* file will have -rw-r--r-- permissions

2. With the patched version:

   # After applying the fix and rebuilding
   ./build/scripts/mariadb-secure-installation --socket=/tmp/mysql.sock
   # In another terminal 
   ls -la .my* | grep -v .mysql_history

   The .my.output.* file will have -rw------- permissions

Results from my testing

1. Before changes

   root@03b5517f4303:/quick-rebuilds# ls -la .my* | grep -v .mysql_history
   -rw------- 1 root root  70 Apr 22 16:55 .my.cnf.15643
   -rw-r--r-- 1 root root 130 Apr 22 16:55 .my.output.15643
   -rw------- 1 root root  32 Apr 22 16:55 .mysql.15643
   

2. After Changes

   root@03b5517f4303:/quick-rebuilds# ls -la .my* | grep -v .mysql_history
   -rw------- 1 root root  70 Apr 22 17:04 .my.cnf.16290
   -rw------- 1 root root 130 Apr 22 17:04 .my.output.16290
   -rw------- 1 root root  32 Apr 22 17:04 .mysql.16290
   

Basing the PR against the correct MariaDB version

• ✅ This is a security fix applicable to multiple versions, and the PR is based against the latest MariaDB development branch.

PR quality check

• ✅ I have checked the CODING_STANDARDS.md file and my PR conforms to this where appropriate.
• ✅ For any trivial modifications to the PR, I am ok with the reviewer making the changes themselves.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[grooverdan]

Thanks for the fix. I'm thinking the original premise of touch/chmod is incorrect. There there's a very small race condition where the file can be opened, before the chmod is applied, and then read when its its later populated.

Probably best fixed with umask and omit chmod. Does that sound better? As security sensitive fix, a rebase back to the 10.6 branch is ok and edit this PR (near title) to target 10.6 branch.

[akshatnehra]

Thanks for the fix. I'm thinking the original premise of touch/chmod is incorrect. There there's a very small race condition where the file can be opened, before the chmod is applied, and then read when its its later populated.

Probably best fixed with umask and omit chmod. Does that sound better? As security sensitive fix, a rebase back to the 10.6 branch is ok and edit this PR (near title) to target 10.6 branch.

Thanks for reviewing my PR and providing suggestion, I will make the required changes soon.