| Bug #39581 | BACKUP file restrictions should be decoupled from FILE file restrictions | ||
|---|---|---|---|
| Submitted: | 22 Sep 2008 9:20 | Modified: | 7 Apr 2009 23:56 |
| Reporter: | Domas Mituzas | Email Updates: | |
| Status: | Closed | Impact on me: | |
| Category: | MySQL Server: Backup | Severity: | S4 (Feature request) |
| Version: | OS: | Any | |
| Assigned to: | Chuck Bell | CPU Architecture: | Any |
[22 Sep 2008 9:20]
Domas Mituzas
[30 Oct 2008 15:32]
Domas Mituzas
Apparently this needs explanation. 1) BACKUP allows writing all server data to a file, FILE allows reading it. Once this is governed by same security restriction, it can be used to attack the server. 2) FILE allows writing any data to a file, RESTORE would read it. This allows restoring any user-supplied data, rather than requiring physical access to the server. So, if --secure-file-priv applies to both, in combination these two privileges allow way too much of stuff to be done, rather than being innocent access rights for lightweight system administration. Thats why for proper security directory access rules have to be decoupled/separate.
[4 Feb 2009 21:40]
Chuck Bell
Initial prototype patch for new --secure-backup-file-priv variable.
Attachment: 39581.diff (application/octet-stream, text), 13.92 KiB.
[4 Feb 2009 21:41]
Chuck Bell
Created initial patch to add a new variable named --secure-backup-file-priv. Must add tests to ensure this new variable is distinct from --secure-file-priv WRT backup system.
[5 Feb 2009 20:49]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/65406 2758 Chuck Bell 2009-02-05 BUG#39581 : BACKUP file restrictions should be decoupled from FILE file restrictions This patch creeates a new --secure-backup-file-priv startup option and secure_backup_file_priv read only variable. This replaces the original use of the --secure-file-priv and associated variable. This change was needed to prevent exploitation of a security vulnerability by giving too much access to backup and restore. The new --secure-backup-file-priv allows administrators to restrict backup and restore to/from a specific directory. Attention: This patch contains three file moves. To apply this patch you must first execute the following commands from the tree root: bzr mv ./mysql-test/suite/backup/t/backup_securefilepriv.test ./mysql-test/suite/backup/t/backup_securebackup.test bzr mv ./mysql-test/suite/backup/r/backup_securefilepriv.result ./mysql-test/suite/backup/r/backup_securebackup.result bzr mv ./mysql-test/suite/backup/t/backup_securefilepriv-master.opt ./mysql-test/suite/backup/t/backup_securebackup-master.opt
[6 Feb 2009 14:52]
Jørgen Løland
Patch approved.
[6 Feb 2009 16:43]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/65500 2758 Chuck Bell 2009-02-06 BUG#39581 : BACKUP file restrictions should be decoupled from FILE file restrictions This patch creeates a new --secure-backup-file-priv startup option and secure_backup_file_priv read only variable. This replaces the original use of the --secure-file-priv and associated variable. This change was needed to prevent exploitation of a security vulnerability by giving too much access to backup and restore. The new --secure-backup-file-priv allows administrators to restrict backup and restore to/from a specific directory. Attention: This patch contains three file moves. To apply this patch you must first execute the following commands from the tree root: bzr mv ./mysql-test/suite/backup/t/backup_securefilepriv.test ./mysql-test/suite/backup/t/backup_securebackup.test bzr mv ./mysql-test/suite/backup/r/backup_securefilepriv.result ./mysql-test/suite/backup/r/backup_securebackup.result bzr mv ./mysql-test/suite/backup/t/backup_securefilepriv-master.opt ./mysql-test/suite/backup/t/backup_securebackup-master.opt
[9 Feb 2009 18:18]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/65642 2763 Chuck Bell 2009-02-09 BUG#39581 : BACKUP file restrictions should be decoupled from FILE file restrictions This patch creeates a new --secure-backup-file-priv startup option and secure_backup_file_priv read only variable. This replaces the original use of the --secure-file-priv and associated variable. This change was needed to prevent exploitation of a security vulnerability by giving too much access to backup and restore. The new --secure-backup-file-priv allows administrators to restrict backup and restore to/from a specific directory. Attention: This patch contains three file moves. To apply this patch you must first execute the following commands from the tree root: bzr mv ./mysql-test/suite/backup/t/backup_securefilepriv.test ./mysql-test/suite/backup/t/backup_securebackup.test bzr mv ./mysql-test/suite/backup/r/backup_securefilepriv.result ./mysql-test/suite/backup/r/backup_securebackup.result bzr mv ./mysql-test/suite/backup/t/backup_securefilepriv-master.opt ./mysql-test/suite/backup/t/backup_securebackup-master.opt
[26 Mar 2009 12:34]
Bugs System
Pushed into 6.0.11-alpha (revid:alik@sun.com-20090326121822-pt84kzxxayzho4mn) (version source revid:rafal.somla@sun.com-20090302164601-znhm4tadplfi2iqu) (merge vers: 6.0.11-alpha) (pib:6)
[7 Apr 2009 23:56]
Paul DuBois
Noted in 6.0.11 changelog. Previously, the --secure-file-priv option and secure_file_priv system variable, if set to a directory, limited BACKUP DATABASE and RESTORE operations to files in the given directory. Now the --secure-backup-file-priv option and secure_backup_file_priv system variable apply instead. Also adjusted the descriptions for BACKUP DATABASE and RESTORE.
