Hi Sergei,
Am Sonntag, den 08.11.2009, 08:29 +0100 schrieb Sergei Golubchik:
> We've just got a mail on security@ about a bug (details are at the
> end, in you're interested) - exploiting it relies on the fact that
> datadir and database directories are world readable.
>
> And I was told that on Debian they are:
>
> # ls -l /var/lib/
> drwxr-xr-x 10 mysql mysql 4096 2009-11-07 21:19 mysql
>
> # ls -l /var/lib/mysql
> drwxr-xr-x 2 mysql root 4096 2009-11-07 21:14 mysql
>
> They don't have to be. Making them readable/writeable by mysql user only
> is enough. That's how gentoo installs them, for example.
I just fixed this in our svn, will be part of our next upload.
> You may also want to consider to enable --secure-file-priv in
> /etc/my.cnf to limit file operations (SELECT .. OUTFILE, LOAD ...
> INFILE, LOAD_FILE) to a dedicated "safe" location.
I consider this for the next upload as well.
Thanks!
Norbert
