Bug #32167 another privilege bypass with DATA/INDEX DIRECTORY
Submitted: 7 Nov 2007 19:42 Modified: 20 May 22:54
Reporter: Sergei Golubchik
Status: Closed
Category:Server: MyISAM Severity:S3 (Non-critical)
Version:any OS:Any
Assigned to: Sergey Gluhov Target Version:5.1+
Triage: D2 (Serious)

[7 Nov 2007 19:42] Sergei Golubchik 
Description:
When one creates a MyISAM table with

   CREATE TABLE ( ) DATA DIRECTORY ... INDEX DIRECTORY ...

there're special checks to ensure that existing tables are not overwritten via symlinks.
That is, one cannot create a 'user' table in the 'test' db, with DATA DIRECTORY pointing
to 'mysql' db.

When one creates a table without symlinks, existing files are overwritten. It is
intentional too.

But it creates a problem similar to "insecure tempfile creation" - an attacker can create
a table with MYD/MYI files in another database, and if another user will later create a
table in that database with the same name, the attacker will be able to access the table
bypassing privilege checks.

How to repeat:
root> grant all privileges on test.* to test@localhost;

test> create table t1 (a int) data directory '/MySQL/var/mysql', index directory
'/MySQL/var/mysql';

root> flush tables;
root> create table t1 (a int);
root> insert t1 values (1),(2),(3);
root> flush tables;

test> select * from t1;

Suggested fix:
don't allow symlinks into datadir
[22 Nov 2007 15:04] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38278

ChangeSet@1.2198, 2007-11-22 17:59:11+04:00, gluh@mysql.com +3 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of mysql data home directory in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed.
[27 Nov 2007 13:45] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38623

ChangeSet@1.2198, 2007-11-27 16:39:47+04:00, gluh@mysql.com +3 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of mysql data home directory in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed.
[28 Nov 2007 10:58] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38680

ChangeSet@1.2198, 2007-11-28 13:53:01+04:00, gluh@mysql.com +3 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY(2nd version)
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of mysql data home directory in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed.
[28 Nov 2007 16:08] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38704

ChangeSet@1.2198, 2007-11-28 19:02:52+04:00, gluh@mysql.com +3 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY(3rd version)
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of mysql data home directory in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed.
[30 Nov 2007 9:17] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38932

ChangeSet@1.2198, 2007-11-30 12:11:33+04:00, gluh@mysql.com +3 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY(3rd version)
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of mysql data home directory in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed.
[30 Nov 2007 10:20] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38937

ChangeSet@1.2198, 2007-11-30 13:14:47+04:00, gluh@mysql.com +5 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of mysql data home directory in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed.
[30 Nov 2007 13:00] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38952

ChangeSet@1.2218, 2007-11-30 15:54:55+04:00, gluh@mysql.com +5 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of mysql data home directory in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed.
[30 Nov 2007 15:16] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38966

ChangeSet@1.2592, 2007-11-30 18:10:36+04:00, gluh@mysql.com +2 -0
  bug29325 test case is removed because of Bug#32167 fix
[30 Nov 2007 15:44] Sergei Golubchik 
partitioning isn't covered by the first fix
[7 Dec 2007 12:19] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/39513

ChangeSet@1.2679, 2007-12-07 15:14:52+04:00, gluh@mysql.com +8 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY(version for 5.1)
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of mysql data home directory in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed.
[18 Dec 2007 13:53] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/40134

ChangeSet@1.2679, 2007-12-18 16:48:12+04:00, gluh@mysql.com +13 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY(2nd version for 5.1)
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of 'mysql data home'/'any db name' in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed
[4 Feb 13:15] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/41636

ChangeSet@1.2679, 2008-02-04 16:09:35+04:00, gluh@mysql.com +13 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY(3rd version for 5.1)
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of 'mysql data home'/'any db name' in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed
[28 Feb 13:54] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/43143

ChangeSet@1.2573, 2008-02-28 16:46:52+04:00, gluh@mysql.com +13 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY(3rd version for 5.1)
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of 'mysql data home'/'any db name' in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed
[29 Feb 10:01] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/43198

ChangeSet@1.2574, 2008-02-29 12:52:50+04:00, gluh@mysql.com +5 -0
  additional test fix for Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY
[29 Feb 11:03] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/43206

ChangeSet@1.2707, 2008-02-29 13:55:00+04:00, gluh@mysql.com +5 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY(ver 4.1,5.0)
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of mysql data home directory in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed.
[13 Mar 20:29] Bugs System 
Pushed into 6.0.5-alpha
[13 Mar 20:36] Bugs System 
Pushed into 5.1.24-rc
[13 Mar 20:43] Bugs System 
Pushed into 5.0.60
[13 Mar 20:43] Bugs System 
Pushed into 4.1.24
[15 Mar 12:29] Jon Stephens 
Documented bugfix in the 4.1.24, 5.0.60, 5.1.24, and 6.0.5 changelogs as follows:

        It was possible to circumvent privileges through the creation of
        MyISAM tables employing the DATA DIRECTORY and INDEX DIRECTORY
        options to overwrite existing table files in the MySQL data
        directory. Use of the MySQL data directory in DATA DIRECTORY and
        INDEX DIRECTORY is now disallowed.

In addition, the changelog entries for 5.1.24 and 6.0.5 includes the statement:

                                           This is also true for partitioned
        tables and individual table partitions.

Also added a note to the relevant section of the CREATE TABLE Syntax section in the
4.1./5.0/5.1/6.0 Manuals.
[31 Mar 16:34] Jon Stephens 
Also noted in the 5.1.23-ndb-6.3.11 changelog.
[6 May 11:16] Sergei Golubchik 
please, note in the manual that it's CVE-2008-2079
[9 May 14:05] Norbert Tretkowski 
I'm missing the patch for 5.0. There was one commit into the 5.0 repository, but it only
removed a test case.
[9 May 14:43] Sergei Golubchik 
It was merged from 4.1. Note that 5.1 required a new fix only because of a new feature -
partitioning, not because we do a separate patch for every branch.

When I'm looking in my 5.0 tree this is what I see:

% bk changes -/#32167/
ChangeSet@1.1616.3128.2, 2008-02-29 13:55:00+04:00, gluh@mysql.com +5 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY(ver 4.1,5.0)
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of mysql data home directory in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed.

So, that's the patch that got into 5.0
[9 May 15:04] Norbert Tretkowski 
Ah, I missed the comment about the MySQL version, thanks for the pointer.
[9 May 17:20] Norbert Tretkowski 
The patch does not apply on the current Community Edition release 5.0.51b.
[9 May 18:23] Paul DuBois 
5.0.51b precedes 5.0.60. The patch will appear in the next community release with a
version higher than 5.0.60.
[9 May 19:44] Norbert Tretkowski 
That doesn't really help Linux distributions which are shipping the Community Edition of
MySQL.
[20 May 22:54] Paul DuBois 
Added CVE number to changelog entry.