Bug #18628 mysqld: security problem
Submitted: 29 Mar 2006 22:16 Modified: 1 Jun 2007 16:00
Reporter: Paul DuBois
Status: Closed
Category:Server: Tests Severity:S3 (Non-critical)
Version:5.0 OS:Linux (Linux)
Assigned to: Magnus Svensson Target Version:

[29 Mar 2006 22:16] Paul DuBois 
Description:
I will just paste in the relevant mail message here,
which explains the problem:

Date: Wed, 29 Mar 2006 10:31:34 +0200
From: Sergei Golubchik
To: Paul DuBois
Subject: Re: Security problem while running mysql-test-run

Hi!

On Mar 06, Paul DuBois wrote:
> mysql-test/mysql-test-run starts up a server and then invokes
> mysqltest.  If I run ps, I can find out what port the
> test server is listening on and connect to it as root without
> a password:
> 
> % mysql -h 127.0.0.1 -P 9306 -u root -p
> Enter password:
> Welcome to the MySQL monitor.  Commands end with ; or \g.
> Your MySQL connection id is 10 to server version: 5.0.20-log
> 
> Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
> 
> 
> That might be somewhat benign, if I could only affect that server.
> However, it also appears that I have the FILE privilege, and thus can
> cause the server to create files in the file system:
> 
> mysql> show grants;
> +---------------------------------------------------------------------+
> | Grants for root@localhost                                           |
> +---------------------------------------------------------------------+
> | GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION |
> +---------------------------------------------------------------------+
> 1 row in set (0.00 sec)
> 
> 
> Do we have any recommendations for users about how to avoid having
> this cause issues for them?

Nasty :(
I don't see a simple solution.

A couple of possibilities - auto-generating a root password;
implementing a command-line option --secure-file-priv that won't allow
to access files outside server's working directory (or basedir, or
whatever).

Could you submit a bugreport about it ?
Please, don't forget to mark it as "Only in unreleased version" - it
should not appear in searche results (yet).

Regards,
Sergei

How to repeat:
See above.
[3 Aug 2006 11:32] Magnus Svensson 
A --secure-file-priv command should be implemented to get this approved.
[14 Feb 2007 14:46] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/19868

ChangeSet@1.2395, 2007-02-14 14:44:34+01:00, msvensson@pilot.mysql.com +17 -0
  Bug#18628 mysql-test-run: security problem(part1)
   - Implement --secure-file-priv=<dir> option that limits
    "load_file", "LOAD DATA" and "SELECT .. INTO OUTFILE" to work 
    with files in specified dir.
   - Use above option for mysqld in mysql-test-run.pl
[8 Mar 2007 23:15] Tim Smith 
pushed to 5.0.38, 5.1.17
[13 Mar 2007 19:50] Paul DuBois 
Noted in 5.0.38, 5.1.17 changelogs, and in the
mysqltest manual.
[1 Jun 2007 16:00] Paul DuBois 
--secure-file-priv is an option for mysqld, not mysqltest. I removed the description from
the mysqltest manual to the reference manual. There is also an associated secure_file_priv
system variable.