From: Fred&nbsp;van&nbsp;Engen
Date: March 22 2001 10:40am
Subject: Re: FW: potential vulnerability of mysqld running with root privileges
List-Archive: http://lists.mysql.com/mysql/69175
Message-Id: <20010322114037.A19620@nl.xo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii

Hi,

On Wed, Mar 21, 2001 at 08:39:55AM +0100, Benjamin Pflugmann wrote:
> Sorry to contradict, but have a look:
> 
> newton:~> mysql -u root -e "select version()"
> +-----------+
> | version() |
> +-----------+
> | 3.23.33   |
> +-----------+
> 8:26:25 newton:~> sudo -u mysql touch /tmp/test # just created a file owned by mysql-user
> 8:26:45 newton:~> ln -sf /tmp/test /tmp/yikes.MYI
> 8:26:54 newton:~> ls -l /tmp
> [...]
> -rw-r--r--    1 mysql    mysql           0 Mar 21 08:26 test
> lrwxrwxrwx    1 philemon philemon        9 Mar 21 08:28 yikes.MYI -> /tmp/test
> 8:26:57 newton:~> mysql ../../../../tmp -e "create table yikes(w int(4))"


The problem in my opinion is allowing full pathnames in the database name,
regardless of symbolic links. If someone can write to your database directory,
you're in trouble anyway.

To do the above (without symlinks), you will need to have MySQL root privileges.


When I do it as non-privileged user, I get:

user@host:~$ /opt/mysql-3.23/bin/mysql -u joe -p -e 'create table testy (id int)' ../../../../tmp
Enter password: 
ERROR 1044: Access denied for user: 'radius@localhost' to database '../../../../tmp'


Doing this as a MySQL privileged user (root), I get:

user@host:~$ /opt/mysql-3.23/bin/mysql -u root -p -e 'create table testx (id int)' ../../../../tmp
Enter password: 
user@host:~$ ls -l /tmp/testx*
-rw-rw----   1 mysql    mysql          0 Mar 22 11:25 /tmp/testx.MYD
-rw-rw----   1 mysql    mysql       1024 Mar 22 11:25 /tmp/testx.MYI
-rw-rw----   1 mysql    mysql       8550 Mar 22 11:25 /tmp/testx.frm


The inconsistency is that even as MySQL root, I do get an error when doing
show tables on this 'database'/directory:

user@host:~$ /opt/mysql-3.23/bin/mysql -u root -p -e 'show tables' ../../../../tmp
Enter password: 
ERROR 1102 at line 1: Incorrect database name '../../../../tmp'


This is in 3.23.33 with an unrelated bugfix.


MySQL should be consistent in its checking of database names and IMHO allowing
full pathnames in a database name is asking for trouble.


Regards,

Fred.


-- 
Fred van Engen                              XO Communications B.V.
email: fred.van.engen@stripped             Televisieweg 2
tel: +31 36 5462400                         1322 AC  Almere
fax: +31 36 5462424                         The Netherlands