Bug #21224 mysql_upgrade uses possibly insecure temporary files
Submitted: 21 Jul 2006 21:10 Modified: 13 Sep 2006 16:48
Reporter: Christian Hammers (Silver Quality Contributor) (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version:5.0.25nightly OS:All unix likes
Assigned to: Chad MILLER CPU Architecture:Any

[21 Jul 2006 21:10] Christian Hammers
Description:
Hello

mysql_upgrade (precisely create_defaults_file() in client/mysql_upgrade.c)
creates /var/lib/mysql/upgrade_defaults if there is content in the [client] section of /root/.my.cnf.
If this location happens to be present and a symlink the target of the symlink
is used and if mysqlcheck aborts the file stays.

I did not came to a security relevant attack vector as to exploit this
 - somebody must already have gained a shell as user mysql
 - and root has stuff in the [client] section of /root/.my.cnf
 - and root calls mysql_upgrade
 - and mysqlcheck crashes

but nevertheless we do have tmpfile(3), *please* do use this function for creating temporary files...

bye,

-christian-

How to repeat:
mysql$ ln -sf /etc/whatever /var/lib/mysql/upgrade_defaults

root# echo -e "[client]\nfoo=bar\n" > /root/.my.cnf
root# mysql_upgrade

Suggested fix:
Use tmpfile(3) and don't write files as root in a directory writable by a different uid if not really necessary.
[23 Jul 2006 9:00] Valeriy Kravchuk
Thank you for a problem report. I am not sure that arbitrary content in .my.cnf can be used:

openxs@suse:~/dbs/5.0> echo -e "[client]\nfoo=bar\n" > ~/.my.cnf
openxs@suse:~/dbs/5.0> bin/mysql_upgrade --basedir=/home/openxs/dbs/5.0 -uroot
--force
bin/mysql_upgrade: unknown variable 'foo=bar'

but, anyway, you are rignt: there is no need to work with this temporary file like with normal one.
[11 Aug 2006 19:31] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/10320

ChangeSet@1.2250, 2006-08-11 15:31:06-04:00, cmiller@zippy.cornsilk.net +1 -0
  Bug#21224: mysql_upgrade uses possibly insecure temporary files
  
  We open for writing a known location, which is exploitable with a symlink
  attack.  Now, use the EXCLusive flag, so that the presence of anything at 
  that location causes a failure.  Try once to open safely, and if failure 
  then remove that location and try again to open safely.  If both fail, then
  raise an error.
[11 Aug 2006 21:20] Timothy Smith
Looks OK to me, Chad.  I think using O_EXCL instead of tmpfile() makes sense, as it may be nice to know the name of the file for support purposes.  Although it shouldn't really be an issue, I guess - but the O_EXCL will make this op safe, and is not any more complex than tmpfile() so it's fine.
[14 Aug 2006 14:06] Chad MILLER
In Maint tree.  Should go into 5.0.25 .
[31 Aug 2006 11:40] Magnus BlÄudd
Pushed to 5.0.25
[31 Aug 2006 19:34] Paul DuBois
Noted in 5.0.25 changelog.
[13 Sep 2006 8:46] Timothy Smith
Pushed to 5.1.12
[13 Sep 2006 16:48] Paul DuBois
Noted in 5.1.12 changelog.