From: Fred van Engen Date: March 22 2001 10:40am Subject: Re: FW: potential vulnerability of mysqld running with root privileges List-Archive: http://lists.mysql.com/mysql/69175 Message-Id: <20010322114037.A19620@nl.xo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Hi, On Wed, Mar 21, 2001 at 08:39:55AM +0100, Benjamin Pflugmann wrote: > Sorry to contradict, but have a look: > > newton:~> mysql -u root -e "select version()" > +-----------+ > | version() | > +-----------+ > | 3.23.33 | > +-----------+ > 8:26:25 newton:~> sudo -u mysql touch /tmp/test # just created a file owned by mysql-user > 8:26:45 newton:~> ln -sf /tmp/test /tmp/yikes.MYI > 8:26:54 newton:~> ls -l /tmp > [...] > -rw-r--r-- 1 mysql mysql 0 Mar 21 08:26 test > lrwxrwxrwx 1 philemon philemon 9 Mar 21 08:28 yikes.MYI -> /tmp/test > 8:26:57 newton:~> mysql ../../../../tmp -e "create table yikes(w int(4))" The problem in my opinion is allowing full pathnames in the database name, regardless of symbolic links. If someone can write to your database directory, you're in trouble anyway. To do the above (without symlinks), you will need to have MySQL root privileges. When I do it as non-privileged user, I get: user@host:~$ /opt/mysql-3.23/bin/mysql -u joe -p -e 'create table testy (id int)' ../../../../tmp Enter password: ERROR 1044: Access denied for user: 'radius@localhost' to database '../../../../tmp' Doing this as a MySQL privileged user (root), I get: user@host:~$ /opt/mysql-3.23/bin/mysql -u root -p -e 'create table testx (id int)' ../../../../tmp Enter password: user@host:~$ ls -l /tmp/testx* -rw-rw---- 1 mysql mysql 0 Mar 22 11:25 /tmp/testx.MYD -rw-rw---- 1 mysql mysql 1024 Mar 22 11:25 /tmp/testx.MYI -rw-rw---- 1 mysql mysql 8550 Mar 22 11:25 /tmp/testx.frm The inconsistency is that even as MySQL root, I do get an error when doing show tables on this 'database'/directory: user@host:~$ /opt/mysql-3.23/bin/mysql -u root -p -e 'show tables' ../../../../tmp Enter password: ERROR 1102 at line 1: Incorrect database name '../../../../tmp' This is in 3.23.33 with an unrelated bugfix. MySQL should be consistent in its checking of database names and IMHO allowing full pathnames in a database name is asking for trouble. Regards, Fred. -- Fred van Engen XO Communications B.V. email: fred.van.engen@stripped Televisieweg 2 tel: +31 36 5462400 1322 AC Almere fax: +31 36 5462424 The Netherlands