Your message dated Fri, 20 Nov 2009 18:51:16 +0000 with message-id <e1nbyzg-0002xd...@ries.debian.org> and subject line Bug#555626: fixed in mysql-dfsg-5.1 5.1.41-1 has caused the Debian Bug report #555626, regarding Fw: permissions on database directories to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 555626: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555626 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: mysql-dfsg-5.1 Severity: serious Tags: security Hello Below is a mail from the MySQL packagers list. bye, -christian- Begin forwarded message: Date: Sun, 08 Nov 2009 08:29:49 +0100 From: Sergei Golubchik <s...@mysql.com> To: packag...@lists.mysql.com Cc: c...@debian.org Subject: permissions on database directories Hi, packagers - We've just got a mail on security@ about a bug (details are at the end, in you're interested) - exploiting it relies on the fact that datadir and database directories are world readable. And I was told that on Debian they are: # ls -l /var/lib/ drwxr-xr-x 10 mysql mysql 4096 2009-11-07 21:19 mysql # ls -l /var/lib/mysql drwxr-xr-x 2 mysql root 4096 2009-11-07 21:14 mysql They don't have to be. Making them readable/writeable by mysql user only is enough. That's how gentoo installs them, for example. You may also want to consider to enable --secure-file-priv in /etc/my.cnf to limit file operations (SELECT .. OUTFILE, LOAD ... INFILE, LOAD_FILE) to a dedicated "safe" location. Thanks! Regards / Mit vielen Grüßen, Sergei P.S.: as for the bug itself - we'll fix it of course P.P.S: here it is: ===================================================================== select 1 INTO OUTFILE '/var/lib/mysql/victim/test.MYD'; # the file is created rw-rw-rw- as documented CREATE TABLE victim.test (...); # the bug is that the file stays rw-rw-rw- # and table data becomes readable and writable ===================================================================== -- __ ___ ___ ____ __ / |/ /_ __/ __/ __ \/ / Sergei Golubchik <s...@sun.com> / /|_/ / // /\ \/ /_/ / /__ Principal Software Engineer/Server Architect /_/ /_/\_, /___/\___\_\___/ Sun Microsystems GmbH, HRB München 161028 <___/ Sonnenallee 1, 85551 Kirchheim-Heimstetten Geschäftsführer: Thomas Schroeder, Wolfgang Engels, Wolf Frenkel Vorsitzender des Aufsichtsrates: Martin Häring -- MySQL Packagers Mailing List For list archives: http://lists.mysql.com/packagers To unsubscribe: http://lists.mysql.com/packagers?unsub=s...@mysql.com
--- End Message ---
--- Begin Message ---Source: mysql-dfsg-5.1 Source-Version: 5.1.41-1 We believe that the bug you reported is fixed in the latest version of mysql-dfsg-5.1, which is due to be installed in the Debian FTP archive: libmysqlclient-dev_5.1.41-1_amd64.deb to main/m/mysql-dfsg-5.1/libmysqlclient-dev_5.1.41-1_amd64.deb libmysqlclient16_5.1.41-1_amd64.deb to main/m/mysql-dfsg-5.1/libmysqlclient16_5.1.41-1_amd64.deb libmysqld-dev_5.1.41-1_amd64.deb to main/m/mysql-dfsg-5.1/libmysqld-dev_5.1.41-1_amd64.deb libmysqld-pic_5.1.41-1_amd64.deb to main/m/mysql-dfsg-5.1/libmysqld-pic_5.1.41-1_amd64.deb mysql-client-5.1_5.1.41-1_amd64.deb to main/m/mysql-dfsg-5.1/mysql-client-5.1_5.1.41-1_amd64.deb mysql-client_5.1.41-1_all.deb to main/m/mysql-dfsg-5.1/mysql-client_5.1.41-1_all.deb mysql-common_5.1.41-1_all.deb to main/m/mysql-dfsg-5.1/mysql-common_5.1.41-1_all.deb mysql-dfsg-5.1_5.1.41-1.diff.gz to main/m/mysql-dfsg-5.1/mysql-dfsg-5.1_5.1.41-1.diff.gz mysql-dfsg-5.1_5.1.41-1.dsc to main/m/mysql-dfsg-5.1/mysql-dfsg-5.1_5.1.41-1.dsc mysql-dfsg-5.1_5.1.41.orig.tar.gz to main/m/mysql-dfsg-5.1/mysql-dfsg-5.1_5.1.41.orig.tar.gz mysql-server-5.1_5.1.41-1_amd64.deb to main/m/mysql-dfsg-5.1/mysql-server-5.1_5.1.41-1_amd64.deb mysql-server_5.1.41-1_all.deb to main/m/mysql-dfsg-5.1/mysql-server_5.1.41-1_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 555...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Norbert Tretkowski <no...@debian.org> (supplier of updated mysql-dfsg-5.1 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Fri, 20 Nov 2009 17:35:42 +0100 Source: mysql-dfsg-5.1 Binary: libmysqlclient16 libmysqld-pic libmysqld-dev libmysqlclient-dev mysql-common mysql-client-5.1 mysql-server-5.1 mysql-server mysql-client Architecture: source all amd64 Version: 5.1.41-1 Distribution: unstable Urgency: medium Maintainer: Debian MySQL Maintainers <pkg-mysql-ma...@lists.alioth.debian.org> Changed-By: Norbert Tretkowski <no...@debian.org> Description: libmysqlclient-dev - MySQL database development files libmysqlclient16 - MySQL database client library libmysqld-dev - MySQL embedded database development files libmysqld-pic - MySQL database development files mysql-client - MySQL database client (metapackage depending on the latest versio mysql-client-5.1 - MySQL database client binaries mysql-common - MySQL database common files (e.g. /etc/mysql/my.cnf) mysql-server - MySQL database server (metapackage depending on the latest versio mysql-server-5.1 - MySQL database server binaries Closes: 552003 555626 Changes: mysql-dfsg-5.1 (5.1.41-1) unstable; urgency=medium . * New upstream release. * Drop patch 60_zlib_innodb_workaround.dpatch, merged upstream. * Make $DATADIR readable/writeable only for user mysql. (closes: #555626) * Build with --without-readline to use system readline instead of bundled copy. (closes: #552003) Checksums-Sha1: c43bf94abcb2f6757ddb1781ed34182c221fc02f 1732 mysql-dfsg-5.1_5.1.41-1.dsc 0cf977058687ad416cbc7a5e8bcd1e4cc02bbac7 19970033 mysql-dfsg-5.1_5.1.41.orig.tar.gz b9ca77b6be7bd4f1a6caffff60c556159158a126 328491 mysql-dfsg-5.1_5.1.41-1.diff.gz 01787d659a44d285e1f8ef7f8cda16f2336a0040 93646 mysql-common_5.1.41-1_all.deb befd9482d88a8af5786b35ad2f85dc32960735b0 88066 mysql-server_5.1.41-1_all.deb 031d2959c80994ed84ca39d39d66ffaaf8658ace 87936 mysql-client_5.1.41-1_all.deb c9ea59719e96820c62bfa7db729e6ef99c5e1ba5 2032728 libmysqlclient16_5.1.41-1_amd64.deb 2ae2fc6b1b10b51594db1784f32129772d6f5847 4448664 libmysqld-pic_5.1.41-1_amd64.deb 8c393ca88fa53c922f864a2d15ff0d76dc6e8d09 5638600 libmysqld-dev_5.1.41-1_amd64.deb a731adae6c3200b839c2291bdfde6eb3c55673e9 3746682 libmysqlclient-dev_5.1.41-1_amd64.deb f30843c327dc32b00ffdb4a23fa3fcad344a348c 8624472 mysql-client-5.1_5.1.41-1_amd64.deb bf6730ea2ac059e8ef857c249803a846acb814c2 11216508 mysql-server-5.1_5.1.41-1_amd64.deb Checksums-Sha256: bf749c244b9e1cc292bfcc6f0cf0d6f6acb88777c3494466b9d8490b3c6c9901 1732 mysql-dfsg-5.1_5.1.41-1.dsc dc03e1bfd11a79f87e0fbcad53f97892e5d987425f5e5f63c960a5d1510767c1 19970033 mysql-dfsg-5.1_5.1.41.orig.tar.gz 859e825efe4a860e58603d00faa7823c6fe94310f3ebcbfd2dcc73e043016188 328491 mysql-dfsg-5.1_5.1.41-1.diff.gz ed02bfcbf3fd05317a04fcc1c877036ccf10e2fd9b17deb0d7cb70e957cb090b 93646 mysql-common_5.1.41-1_all.deb 75bcff1e0572fd9b0ce636f53cdc538e0a57fd7849b8a6ed2db052c11f626df0 88066 mysql-server_5.1.41-1_all.deb 3db18f40f908c1080e55c5d6858fd490d141e863784f947ea2c24f77fc3a42f8 87936 mysql-client_5.1.41-1_all.deb 24a53ae76eb823fc6b768a214eac79646b0f05e4970e601cdd5fc71801464231 2032728 libmysqlclient16_5.1.41-1_amd64.deb c68a261af2a8656e15341a5c00703161683fd28c9d66d5d0be118186ad97a508 4448664 libmysqld-pic_5.1.41-1_amd64.deb d09427b950f0c508226076a7b566f34fb36af4d491a9be8a84055362e8d147a7 5638600 libmysqld-dev_5.1.41-1_amd64.deb 9f5c30537a5e92f436a118c65dce27ac7d35f769abe77b5da73ed55e70fa6779 3746682 libmysqlclient-dev_5.1.41-1_amd64.deb 4fde35a16363540a12fcdbd45acf3dfb50f462a42d25a99c507a43961ebf99ba 8624472 mysql-client-5.1_5.1.41-1_amd64.deb 6c45d197dd029274988189f27932c8787e08a67507f4a739ac5d55e6d8527856 11216508 mysql-server-5.1_5.1.41-1_amd64.deb Files: 56153748ee5c393407ac837ed4fa3d7a 1732 misc optional mysql-dfsg-5.1_5.1.41-1.dsc 7652277028a7dedc6e1b5a9d87f6bfe6 19970033 misc optional mysql-dfsg-5.1_5.1.41.orig.tar.gz 1b0d77f281cb02e155ea3d0ecef74dd8 328491 misc optional mysql-dfsg-5.1_5.1.41-1.diff.gz b5e8592d3469815e7f22ade738479fe8 93646 database optional mysql-common_5.1.41-1_all.deb 909f9f52280dd1a58da09ccf13dbad9c 88066 database optional mysql-server_5.1.41-1_all.deb ecc8e5cdf634070ba35f514e2dffe051 87936 database optional mysql-client_5.1.41-1_all.deb aae7774380db1d22235f2202f077cdcf 2032728 libs optional libmysqlclient16_5.1.41-1_amd64.deb 22cec27e70da44f919f8c28b93387d0e 4448664 libdevel optional libmysqld-pic_5.1.41-1_amd64.deb e9d64cd0b09212cebbba42fbd426d656 5638600 libdevel optional libmysqld-dev_5.1.41-1_amd64.deb 86879e9d4b6659840aff274a499ed6bb 3746682 libdevel optional libmysqlclient-dev_5.1.41-1_amd64.deb 9907d79db295b7f71b177c6552486eb8 8624472 misc optional mysql-client-5.1_5.1.41-1_amd64.deb 12d3e3c572843fbdb8615300a679334b 11216508 misc optional mysql-server-5.1_5.1.41-1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAksG3soACgkQr/RnCw96jQH/xACgkdEzs1oGKJOd3iVKt4AC9xy2 wg0AnRxz7ADFV7AbcQbW4/KPirdCPm18 =ak2B -----END PGP SIGNATURE-----
--- End Message ---
