Bug #34171 Backup: ignoring --secure-file-priv
Submitted: 30 Jan 2008 17:14 Modified: 29 Sep 2008 20:29
Reporter: Peter Gulutzan Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Backup Severity:S3 (Non-critical)
Version:6.0.5-alpha-debug OS:Linux (SUSE 10 64-bit)
Assigned to: Jørgen Løland CPU Architecture:Any

[30 Jan 2008 17:14] Peter Gulutzan 
Description:
I'm using 6.0-backup.

Look at
http://dev.mysql.com/doc/refman/5.0/en/privileges-options.html
"
--secure-file-priv=path
This option limits the effect of the LOAD_FILE() function and
the LOAD DATA and SELECT ... INTO OUTFILE statements to work
only with files in the specified directory.
This option was added in MySQL 5.0.38.
"
See also Bug#18628.
 
Currently "--secure-file-priv=path" does not affect
BACKUP DATABASE TO 'file';
or
RESTORE FROM 'file';

How to repeat:
I started mysqld server with --secure-file-priv=/usr/local/mysql/var

mysql> select 5 into outfile '/tmp/1';
ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv
option so it cannot execute this statement

mysql> backup database test to '/tmp/2';
+-----------+
| backup_id |
+-----------+
| 3         |
+-----------+
1 row in set (0.21 sec)
[30 Jan 2008 18:26] MySQL Verification Team 
Thank you for the bug report. Verified as described:

[miguel@mira 6.0b]$ bin/mysql -uroot test
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 6.0.5-alpha-debug Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> select 5 into outfile '/tmp/1';
ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
mysql>  backup database test to '/tmp/2';
+-----------+
| backup_id |
+-----------+
| 5         | 
+-----------+
1 row in set (0.13 sec)

mysql>
[21 Aug 2008 8:35] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/52187

2679 Jorgen Loland	2008-08-21
      Bug#34171 - "Backup: ignoring --secure-file-priv"
      
      Before patch: Backup code ignored secure-file-priv option, 
      allowing backup to write to any location
      
      After patch: Backup and restore are not allowed to write or read 
      outside path in secure-file-priv option if option has been 
      specified.
[26 Aug 2008 7:46] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/52520

2683 Jorgen Loland	2008-08-26
      Bug#34171 - "Backup: ignoring --secure-file-priv"
            
      Before patch: Backup code ignored secure-file-priv option, 
      allowing backup to write to any location
            
      After patch: Backup and restore are not allowed to write or read 
      outside path in secure-file-priv option if option has been 
      specified.
[26 Aug 2008 8:05] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/52521

2683 Jorgen Loland	2008-08-26
      Bug#34171 - "Backup: ignoring --secure-file-priv"
            
      Before patch: Backup code ignored secure-file-priv option, 
      allowing backup to write to any location
            
      After patch: Backup and restore are not allowed to write or read 
      outside path in secure-file-priv option if option has been 
      specified.
[26 Aug 2008 13:54] Chuck Bell 
Patch approved pending the correction of the backupdir test failure and other minor requests.
[27 Aug 2008 9:22] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/52671

2683 Jorgen Loland	2008-08-27
      Bug#34171 - "Backup: ignoring --secure-file-priv"
                  
      Before patch: Backup code ignored secure-file-priv option, 
      allowing backup to write to any location
                  
      After patch: Backup and restore are not allowed to write or read 
      outside path in secure-file-priv option if option has been 
      specified.
[2 Sep 2008 8:59] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/53040

2689 Jorgen Loland	2008-09-02
      Bug#34171 - "Backup: ignoring --secure-file-priv"
                        
      Before patch: Backup code ignored secure-file-priv option, 
      allowing backup to write to any location
                        
      After patch: Backup and restore are not allowed to write or read 
      outside path in secure-file-priv option if option has been 
      specified.
[2 Sep 2008 9:00] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/53042

2689 Jorgen Loland	2008-09-02
      Bug#34171 - "Backup: ignoring --secure-file-priv"
                        
      Before patch: Backup code ignored secure-file-priv option, 
      allowing backup to write to any location
                        
      After patch: Backup and restore are not allowed to write or read 
      outside path in secure-file-priv option if option has been 
      specified.
[28 Sep 2008 18:51] Øystein Grøvlen 
Patch pushed to 6.0 main for 6.0.8.
[29 Sep 2008 20:29] Paul DuBois 
Noted in 6.0.8 changelog.

The secure_file_priv system variable now applies to BACKUP DATABASE
and RESTORE operations: If the value is nonempty, backup and restore
operations can read and write files only in the given directory.