Bug #21739 MySQL default socket location in world-writable directory
Submitted: 20 Aug 2006 16:24 Modified: 30 Aug 2006 14:48
Reporter: [ name withheld ] Email Updates:
Status: Won't fix Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version: OS:
Assigned to: CPU Architecture:Any

[20 Aug 2006 16:24] [ name withheld ] 
Description:
Creating a file in a world-writable directory without randomizing the file name constitutes a security exposure that any local user can exploit. Certain MySQL binary distributions present on mysql.com have MySQL configured to use /tmp/mysql.sock, thus exposing the socket. It should be a simple matter to prepare these binary distributions with the socket in a directory that only the mysql user can write, such as /var/mysql.

How to repeat:
Install binary distribution, start mysqld, note that socket is in /tmp/mysql.sock
[21 Aug 2006 12:15] MySQL Verification Team 
Thank you for the bug report. There is the server start option --socket
for that purpose.
[21 Aug 2006 13:44] [ name withheld ] 
Of course the administrator can specify a secure location for the socket in /etc/my.cnf or via the command line, but that is not the point. The point is that the default configuration is insecure.
[24 Aug 2006 9:40] Sergei Golubchik 
What is a "security exposure" here ?
How one can "exploit" it ? Please elaborate.
[29 Aug 2006 10:15] Martin Friebe 
I'm not the original reporter, but I would think, that any local user on the mysql server, could rename/replace the socket, and do a man-in-the-middle attack, to steal passwords and data....

but then anyone having non-trustable local users on an important db server ....
[29 Aug 2006 12:13] Sergei Golubchik 
one cannot. not in /tmp at least, because it has sticky bit set
[30 Aug 2006 13:22] [ name withheld ] 
Sticky bit protects against delete and rename, but does not prevent local users (and no administrator should trust local users) from repeatedly creating a symlink in /tmp with the same name as mysql.sock
[30 Aug 2006 13:52] Sergei Golubchik 
Are you worrying about MySQL creating or overwriting a location where symlink points to ? It cannot happen, if /tmp/mysql.sock exists, bind() will fail and MySQL will exit with an error.

Are you worrying about DoS ? MySQL is usually started during the system startup from rc scripts, and it deletes /tmp/mysql.sock if it exists, before creating a socket. No local user will be able to exploit this race condition by creating a /tmp/mysql.sock file during the system startup. And if one starts MySQL manually he'll surely notice an error message if some local user prevented mysqld from starting.
[30 Aug 2006 14:48] [ name withheld ] 
Yes, the race condition allowing a DoS scenario should not be dismissed. We cannot assume that MySQL will *only* be started at system startup time; there are plenty of reasons to start MySQL without a reboot. And of course administrators will notice an error message, or merely notice that MySQL failed to start, but the fact that the DoS is easily noticed is secondary to the main problem.