Bug #36447 Administrator allows Full Access to the Startup Variables for any User
Submitted: 1 May 2008 8:34 Modified: 4 Jun 2008 12:36
Reporter: Steffen Hösel Email Updates:
Status: No Feedback Impact on me:
Category:MySQL Administrator: Docs Severity:S2 (Serious)
Version:1.2.12 OS:Microsoft Windows (XP or Vista)
Assigned to: CPU Architecture:Any
Triage: D4 (Minor)

[1 May 2008 8:34] Steffen Hösel
The MySQL Administrator does allow any connected user to change everything inside the Startup-Variables tab. Even if its a Test-User with no rights at all he can manage the complete work (not security related as far as i could see this) of the server and can even restart it to apply those settings.

Imagine a user installing the administrator locally on his machine and then connect to the live server (within the intranet) with its normal data and the host of that server. He would then be able to shutdown the server and can change everything from disabling the InnoDB feature to managing the replication and even to disable the safe-user creation so he can create accounts.

As this should not work remotely i place it into Serious. but its a bug that should be cleared ASAP in my opinion.

How to repeat:
Just create a user locally (with CREATE USER or with the administrator itself) and connect with him using the administrator.

Suggested fix:
Havent found something so far.
[1 May 2008 11:54] Sveta Smirnova
Thank you for the report.

According to http://dev.mysql.com/doc/administrator/en/mysql-administrator-service-control-configure-se... you would be able to edit configuration file if run MySQL Administrator as Windows user who has access to the configuration file. But this is not very clear from this page. So I reclassify this report to documentation.
[4 May 2008 12:36] Stefan Hinz
The bug report mixes up a number of loosely related things:

- Generally, user authentication is done on the MySQL server. That is, if there's a user account *on the server* that has administrative privileges, and you're connecting with that account from MySQL Administrator to the server, you can naturally do all the things that that server administrator is able to do (including shutting down the server if that administrator has the SHUTDOWN privilege). This is neither a flaw in MySQL Administrator nor in MySQL Server, and is thoroughly explained in the DBA chapter of the MySQL Manual.

- Changing the server's option file (my.cnf or my.ini) can only be done on a local machine, that is, the machine that MySQL Administrator runs on. This is explained in the MySQL Administrator manual.

- Changing the option file can only be done if the (operating system) user has file privileges for that file. This is explained in the DBA chapter of the MySQL Manual.

- @ bug verifier: The last item is not a question of the operating system that MySQL Server runs on. Under Unix, my.cnf is often located in /etc/ which is normally writable only for the Unix root user. On Windows, MySQL is often installed using a non-privileged account which, in effect, results in everything in the installation directory (including my.ini) being writable for any user on that computer. The Installing & Upgrading chapter of the MySQL Manual explains that this shouldn't be done, but if the advice isn't followed there's no way for MySQL to keep anyone (including anyone who runs MySQL Administrator on that computer) to change my.ini.

To conclude, I don't see a need to add anything to the MySQL documentation (MySQL Reference Manual or MySQL Administrator manual). If you think otherwise, please explain *exactly* what should be added, and where, to make things more clear.
[4 Jun 2008 23:00] Bugs System
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".