List:General Discussion« Previous MessageNext Message »
From:Fred van Engen Date:March 22 2001 10:40am
Subject:Re: FW: potential vulnerability of mysqld running with root privileges
View as plain text  
Hi,

On Wed, Mar 21, 2001 at 08:39:55AM +0100, Benjamin Pflugmann wrote:
> Sorry to contradict, but have a look:
> 
> newton:~> mysql -u root -e "select version()"
> +-----------+
> | version() |
> +-----------+
> | 3.23.33   |
> +-----------+
> 8:26:25 newton:~> sudo -u mysql touch /tmp/test # just created a file owned by
> mysql-user
> 8:26:45 newton:~> ln -sf /tmp/test /tmp/yikes.MYI
> 8:26:54 newton:~> ls -l /tmp
> [...]
> -rw-r--r--    1 mysql    mysql           0 Mar 21 08:26 test
> lrwxrwxrwx    1 philemon philemon        9 Mar 21 08:28 yikes.MYI -> /tmp/test
> 8:26:57 newton:~> mysql ../../../../tmp -e "create table yikes(w int(4))"


The problem in my opinion is allowing full pathnames in the database name,
regardless of symbolic links. If someone can write to your database directory,
you're in trouble anyway.

To do the above (without symlinks), you will need to have MySQL root privileges.


When I do it as non-privileged user, I get:

user@host:~$ /opt/mysql-3.23/bin/mysql -u joe -p -e 'create table testy (id int)'
../../../../tmp
Enter password: 
ERROR 1044: Access denied for user: 'radius@localhost' to database '../../../../tmp'


Doing this as a MySQL privileged user (root), I get:

user@host:~$ /opt/mysql-3.23/bin/mysql -u root -p -e 'create table testx (id int)'
../../../../tmp
Enter password: 
user@host:~$ ls -l /tmp/testx*
-rw-rw----   1 mysql    mysql          0 Mar 22 11:25 /tmp/testx.MYD
-rw-rw----   1 mysql    mysql       1024 Mar 22 11:25 /tmp/testx.MYI
-rw-rw----   1 mysql    mysql       8550 Mar 22 11:25 /tmp/testx.frm


The inconsistency is that even as MySQL root, I do get an error when doing
show tables on this 'database'/directory:

user@host:~$ /opt/mysql-3.23/bin/mysql -u root -p -e 'show tables' ../../../../tmp
Enter password: 
ERROR 1102 at line 1: Incorrect database name '../../../../tmp'


This is in 3.23.33 with an unrelated bugfix.


MySQL should be consistent in its checking of database names and IMHO allowing
full pathnames in a database name is asking for trouble.


Regards,

Fred.


-- 
Fred van Engen                              XO Communications B.V.
email: fred.van.engen@stripped             Televisieweg 2
tel: +31 36 5462400                         1322 AC  Almere
fax: +31 36 5462424                         The Netherlands
Thread
error while loading UDFCurt W. Zirzow29 Mar
  • error while loading UDFMichael Widenius29 Mar
  • Re: FW: potential vulnerability of mysqld running with root privilegesSergei Golubchik21 Mar
  • Re: FW: potential vulnerability of mysqld running with root privilegesSinisa Milivojevic21 Mar
  • Re: FW: potential vulnerability of mysqld running with root privilegesFred van Engen22 Mar
Re: error while loading UDFCurt W. Zirzow30 Mar
Re: error while loading UDFMichael Widenius30 Mar
Re: FW: potential vulnerability of mysqld running with root privileges( )21 Mar
Re: FW: potential vulnerability of mysqld running with root privilegesUnknown Sender21 Mar