Bug #36176 New default data directory
Submitted: 17 Apr 2008 11:01 Modified: 23 Apr 2008 18:52
Reporter: Olaf van der Spek (Basic Quality Contributor) Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server: Installing Severity:S3 (Non-critical)
Version:5.1.24 OS:Windows
Assigned to: Iggy Galarza CPU Architecture:Any
Tags: qc

[17 Apr 2008 11:01] Olaf van der Spek
Description:
The new defaults data directory is C:\Documents and Settings\All Users\Application Data\...

Doesn't that give write access to the data files to all users of the system? I don't think that's an improvement from the old directory.

How to repeat:
Install 5.1.24.
[17 Apr 2008 11:12] Valeriy Kravchuk
This is a known problem already reported internally.
[17 Apr 2008 21:39] Peter Laursen
I am sorry ... but it comes from my report here:
http://bugs.mysql.com/bug.php?id=34593
(but this report was verified very fast, so probably there had been some considerations in MySQL organisation before ...)

Problem is that (as I see it) using "\program files" folder tree for data storage will corrupt data (and logs) for other users in Vista and Windows 2008 

* if the user is not an admin user and 
* if UAC is ON and
* if program is started as a 'user program' (I think not as a 'service') from \program files ..
[17 Apr 2008 21:43] Olaf van der Spek
Why would it corrupt files?
If MySQL is started as a normal user, files shouldn't go in All Users either IMO.
[17 Apr 2008 22:04] Peter Laursen
Because in Vista and Windows 2008 non-admin users cannot write to \program files\etc if the Vista/2008 UAC feature (User Account Control) is ON!  It will write to a folder that only this user can access and it will be completely transparent to user!  Another user will not be able to access.  What will actually happen whne another user starts MySQL (crash, database totally corrupted, or only latest changes not avail for other users) I do not know.  It also may depend on how the ENGINE uses the file system.

Do you know UAC?

There is a real dilemma here .. MySQL is designed for *nix (or you may say POSIX) with a file privileges system that results in problems with Windows Vista/2008 with UAC!

You may turn UAC 'OFF' of course, but in MS-oriented organisations that will NEVER happen! For those UAC is the 'cornerstone' of security improvements in recent Windows!
[17 Apr 2008 22:11] Peter Laursen
a few links:

http://technet.microsoft.com/en-us/windowsvista/aa906021.aspx
http://en.wikipedia.org/wiki/User_Account_Control

The culprit is 'file system virtualisation'.  MySQL not affected by 'registry virtualisation' as it does not depend on registry data at run-time.
[17 Apr 2008 22:13] Olaf van der Spek
Because in Vista and Windows 2008 non-admin users cannot write to
\program files\etc if the Vista/2008 UAC feature (User Account Control)
is ON!  

I assume this does not depend on UAC. In 2000/XP, a non-admin user can't write to Program Files either AFAIK.

> It will write to a folder that only this user can access and it
will be completely transparent to user!  Another user will not be able
to access.  What will actually happen whne another user starts MySQL
(crash, database totally corrupted, or only latest changes not avail
for other users) I do not know.  

Ah, so corruption is an assumption?
I'd assume I'd behave like the files would be stored in the user's personal profile (not all users). That is, each user would have his own copy of the database.

> It also may depend on how the ENGINE
uses the file system.

> Do you know UAC?

I do, but I don't have much experience with Vista.

> There is a real dilemma here .. MySQL is designed for *nix (or you may
say POSIX) with a file privileges system that results in problems with
Windows Vista/2008 with UAC!

What is the difference with POSIX? On POSIX the database is usually only accessible to a user named MySQL and not to other users.

> You may turn UAC 'OFF' of course, but in MS-oriented organisations that
will NEVER happen! For those UAC is the 'cornerstone' of security
improvements in recent Windows!

I'm only using MySQL as a service. Is MySQL often being used by individual users?
Surely if you're going to install a server you install it as a service, right?
[17 Apr 2008 22:51] Peter Laursen
"I assume this does not depend on UAC. In 2000/XP, a non-admin user can't write to Program Files either AFAIK."

.. and on 2K/XP that is it!

.. in Vista/2008 it will (with default settings) *write somewhere else instead*.  That *somewhere else* is not accessible for other users!

I *think* that as long as only user data (and not system data) are changed no serious corruption will take place. But huge files may need to be copied to user's virtualized folder what may be horrible slow. I am not on MySQL payroll and have no obligation to details more on that .. I have my own business to take care of!

I think the MySQL people know more details. They were *very fast* to verify my report! I also think they should have considered this *somewhat* before (MS had documented everything with Vista beta1!).  

I can only say that I have had lots of problems with all sorts of server programs (including Apache and Cygwin/SSHD) and UAC before I found out the reason for it (I also knew nothing about UAC first I got a laptop with Vista).  You will also easily find reports on the Internet of corruption and loss of configuration data due to this with simple programs.
[17 Apr 2008 23:08] Peter Laursen
"Surely if you're going to install a server you install it as a service, right?"

There are different routines.  Some people will not have the service starting with the OS (if the need to have LOTS of versions including old versions for testing your appication for instance) and may start it as a 'user program'.

It is of course a solution to have in somewhere else but in 'Program Files' - like C:\  ... but that is then equally unprotected as 'AppData'.

Personally I do not mind much what the final solution will be! And I realize that no solution is perfect.  What I reported will probably affect less than 1% of users.  But then it is also a problem if user does not understand what is happening!

Let the MySQL people do what they find best, document it - and hopefully provide a somewhat better installer and configuration wizard.
[17 Apr 2008 23:09] Peter Laursen
.. and then I will not say more but await the conclusion!
[22 Apr 2008 17:11] Iggy Galarza
Hi!  Thank you for the very interesting discussion about the new data location. I'd like to address a couple of the questions that were raised.  

1. Why did we suddenly change the default data location?  It's the right thing to do! We are working very hard internally to achieve "Certified for Vista" status which requires that we not write data files to the Program Files path. It was a suggestion for XP but it's a requirement for Vista.

2. Why are you writing to All Users\AppData and not the current user's AppData directory?  This is in fact not a change. The MySQL Server installation is a per-machine installation as is fitting for a server application. The installer expands AppData to the All Users directory for a per-machine installation.

3. Can I do a per-user installation?  Yes. The MySQL installer is only useful if you're doing a single install on a machine (read most users). The best way to accomplish a per-user installation is to use the noinstall zips we provide. Simply extract the files and then use mysqld to register a service.  Once the service is registered you can use the Config Wizard to configure the service instance.  The only difference at that point is that you won't have the nice Start menu shortcuts and non-essential registry keys.

The last thing I'd like to add is that this is only the _default_ location.  Before this change, the user had no choice as to where the data files would be located during install.  With the change, if a user chooses the Custom installation she will notice an expanded sub-element for the Server binaries that allows her to choose the data location.  Thanks again for the good discussion and the invaluable community contributions!
[22 Apr 2008 17:57] Olaf van der Spek
Hi,

Thanks for the answer. One question remains though: why did the data directory become world-readable and writable (AFAIK)?
[22 Apr 2008 19:24] Iggy Galarza
The installer does not explicitly set any additional rights for the data directory. My tests confirmed that the new data directory (C:\Documents and Settings\All Users\Application Data\MySQL) inherits the rights assigned to it's parent directory on a Windows XP Pro SP2 machine that has a single NTFS harddisk.
[22 Apr 2008 19:30] Olaf van der Spek
That doesn't seem like an improvement. ;)
[23 Apr 2008 16:46] Iggy Galarza
I agree, it's not an improvement but it's not new either.  The files that are installed into the Program Files directory also inherit their rights from the parent and also have write assigned to all the system accounts.
[23 Apr 2008 18:52] Olaf van der Spek
> and also have write assigned to all the system accounts.

Eh, no, members of the group 'Users' do not have write access under Program Files. That's the reason programs are not supposed to write to that directory. ;)