Bug#555626: Fw: permissions on database directories

Tue, 10 Nov 2009 07:25:02 -0800 

Package: mysql-dfsg-5.1
Severity: serious
Tags: security

Hello

Below is a mail from the MySQL packagers list.

bye,

-christian-



Begin forwarded message:

Date: Sun, 08 Nov 2009 08:29:49 +0100
From: Sergei Golubchik <s...@mysql.com>
To: packag...@lists.mysql.com
Cc: c...@debian.org
Subject: permissions on database directories


Hi, packagers -

We've just got a mail on security@ about a bug (details are at the
end, in you're interested) - exploiting it relies on the fact that
datadir and database directories are world readable.

And I was told that on Debian they are:

 # ls -l /var/lib/
 drwxr-xr-x 10 mysql    mysql    4096 2009-11-07 21:19 mysql

 # ls -l /var/lib/mysql
 drwxr-xr-x 2 mysql root      4096 2009-11-07 21:14 mysql

They don't have to be. Making them readable/writeable by mysql user only
is enough. That's how gentoo installs them, for example.

You may also want to consider to enable --secure-file-priv in
/etc/my.cnf to limit file operations (SELECT .. OUTFILE, LOAD ...
INFILE, LOAD_FILE) to a dedicated "safe" location.

Thanks!

Regards / Mit vielen Grüßen,
Sergei

P.S.: as for the bug itself - we'll fix it of course

P.P.S: here it is:

=====================================================================
select 1 INTO OUTFILE '/var/lib/mysql/victim/test.MYD';
# the file is created rw-rw-rw- as documented
CREATE TABLE victim.test (...);
# the bug is that the file stays rw-rw-rw-
# and table data becomes readable and writable
=====================================================================

-- 
   __  ___     ___ ____  __
  /  |/  /_ __/ __/ __ \/ /   Sergei Golubchik <s...@sun.com>
 / /|_/ / // /\ \/ /_/ / /__  Principal Software Engineer/Server Architect
/_/  /_/\_, /___/\___\_\___/  Sun Microsystems GmbH, HRB München 161028
       <___/                  Sonnenallee 1, 85551 Kirchheim-Heimstetten
Geschäftsführer: Thomas Schroeder, Wolfgang Engels, Wolf Frenkel
Vorsitzender des Aufsichtsrates: Martin Häring

-- 
MySQL Packagers Mailing List
For list archives: http://lists.mysql.com/packagers
To unsubscribe:    http://lists.mysql.com/packagers?unsub=s...@mysql.com




--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to