| Bug #39581 | BACKUP file restrictions should be decoupled from FILE file restrictions | ||
|---|---|---|---|
| Submitted: | 22 Sep 2008 11:20 | Modified: | 8 Apr 1:56 |
| Reporter: | Domas Mituzas | ||
| Status: | Closed | ||
| Category: | Server: Backup | Severity: | S4 (Feature request) |
| Version: | OS: | Any | |
| Assigned to: | Chuck Bell | Target Version: | 6.0-beta |
| Triage: | Needs Triage: D2 (Serious) | ||
[22 Sep 2008 11:20]
Domas Mituzas
[30 Oct 2008 16:32]
Domas Mituzas
Apparently this needs explanation. 1) BACKUP allows writing all server data to a file, FILE allows reading it. Once this is governed by same security restriction, it can be used to attack the server. 2) FILE allows writing any data to a file, RESTORE would read it. This allows restoring any user-supplied data, rather than requiring physical access to the server. So, if --secure-file-priv applies to both, in combination these two privileges allow way too much of stuff to be done, rather than being innocent access rights for lightweight system administration. Thats why for proper security directory access rules have to be decoupled/separate.
[4 Feb 22:40]
Chuck Bell
Initial prototype patch for new --secure-backup-file-priv variable.
Attachment: 39581.diff (application/octet-stream, text), 13.92 KiB.
[4 Feb 22:41]
Chuck Bell
Created initial patch to add a new variable named --secure-backup-file-priv. Must add tests to ensure this new variable is distinct from --secure-file-priv WRT backup system.
[5 Feb 21:49]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/65406 2758 Chuck Bell 2009-02-05 BUG#39581 : BACKUP file restrictions should be decoupled from FILE file restrictions This patch creeates a new --secure-backup-file-priv startup option and secure_backup_file_priv read only variable. This replaces the original use of the --secure-file-priv and associated variable. This change was needed to prevent exploitation of a security vulnerability by giving too much access to backup and restore. The new --secure-backup-file-priv allows administrators to restrict backup and restore to/from a specific directory. Attention: This patch contains three file moves. To apply this patch you must first execute the following commands from the tree root: bzr mv ./mysql-test/suite/backup/t/backup_securefilepriv.test ./mysql-test/suite/backup/t/backup_securebackup.test bzr mv ./mysql-test/suite/backup/r/backup_securefilepriv.result ./mysql-test/suite/backup/r/backup_securebackup.result bzr mv ./mysql-test/suite/backup/t/backup_securefilepriv-master.opt ./mysql-test/suite/backup/t/backup_securebackup-master.opt
[6 Feb 15:52]
Jorgen Loland
Patch approved.
[6 Feb 17:43]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/65500 2758 Chuck Bell 2009-02-06 BUG#39581 : BACKUP file restrictions should be decoupled from FILE file restrictions This patch creeates a new --secure-backup-file-priv startup option and secure_backup_file_priv read only variable. This replaces the original use of the --secure-file-priv and associated variable. This change was needed to prevent exploitation of a security vulnerability by giving too much access to backup and restore. The new --secure-backup-file-priv allows administrators to restrict backup and restore to/from a specific directory. Attention: This patch contains three file moves. To apply this patch you must first execute the following commands from the tree root: bzr mv ./mysql-test/suite/backup/t/backup_securefilepriv.test ./mysql-test/suite/backup/t/backup_securebackup.test bzr mv ./mysql-test/suite/backup/r/backup_securefilepriv.result ./mysql-test/suite/backup/r/backup_securebackup.result bzr mv ./mysql-test/suite/backup/t/backup_securefilepriv-master.opt ./mysql-test/suite/backup/t/backup_securebackup-master.opt
[9 Feb 19:18]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/65642 2763 Chuck Bell 2009-02-09 BUG#39581 : BACKUP file restrictions should be decoupled from FILE file restrictions This patch creeates a new --secure-backup-file-priv startup option and secure_backup_file_priv read only variable. This replaces the original use of the --secure-file-priv and associated variable. This change was needed to prevent exploitation of a security vulnerability by giving too much access to backup and restore. The new --secure-backup-file-priv allows administrators to restrict backup and restore to/from a specific directory. Attention: This patch contains three file moves. To apply this patch you must first execute the following commands from the tree root: bzr mv ./mysql-test/suite/backup/t/backup_securefilepriv.test ./mysql-test/suite/backup/t/backup_securebackup.test bzr mv ./mysql-test/suite/backup/r/backup_securefilepriv.result ./mysql-test/suite/backup/r/backup_securebackup.result bzr mv ./mysql-test/suite/backup/t/backup_securefilepriv-master.opt ./mysql-test/suite/backup/t/backup_securebackup-master.opt
[26 Mar 13:34]
Bugs System
Pushed into 6.0.11-alpha (revid:alik@sun.com-20090326121822-pt84kzxxayzho4mn) (version source revid:rafal.somla@sun.com-20090302164601-znhm4tadplfi2iqu) (merge vers: 6.0.11-alpha) (pib:6)
[8 Apr 1:56]
Paul DuBois
Noted in 6.0.11 changelog. Previously, the --secure-file-priv option and secure_file_priv system variable, if set to a directory, limited BACKUP DATABASE and RESTORE operations to files in the given directory. Now the --secure-backup-file-priv option and secure_backup_file_priv system variable apply instead. Also adjusted the descriptions for BACKUP DATABASE and RESTORE.
