Hi, packagers -
We've just got a mail on security@ about a bug (details are at the
end, in you're interested) - exploiting it relies on the fact that
datadir and database directories are world readable.
And I was told that on Debian they are:
# ls -l /var/lib/
drwxr-xr-x 10 mysql mysql 4096 2009-11-07 21:19 mysql
# ls -l /var/lib/mysql
drwxr-xr-x 2 mysql root 4096 2009-11-07 21:14 mysql
They don't have to be. Making them readable/writeable by mysql user only
is enough. That's how gentoo installs them, for example.
You may also want to consider to enable --secure-file-priv in
/etc/my.cnf to limit file operations (SELECT .. OUTFILE, LOAD ...
INFILE, LOAD_FILE) to a dedicated "safe" location.
Thanks!
Regards / Mit vielen Grüßen,
Sergei
P.S.: as for the bug itself - we'll fix it of course
P.P.S: here it is:
=====================================================================\
select 1 INTO OUTFILE '/var/lib/mysql/victim/test.MYD';
# the file is created rw-rw-rw- as documented
CREATE TABLE victim.test (...);
# the bug is that the file stays rw-rw-rw-
# and table data becomes readable and writable
=====================================================================
--
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Sergei Golubchik <serg@stripped>
/ /|_/ / // /\ \/ /_/ / /__ Principal Software Engineer/Server Architect
/_/ /_/\_, /___/\___\_\___/ Sun Microsystems GmbH, HRB München 161028
<___/ Sonnenallee 1, 85551 Kirchheim-Heimstetten
Geschäftsführer: Thomas Schroeder, Wolfgang Engels, Wolf Frenkel
Vorsitzender des Aufsichtsrates: Martin Häring
