Bug #49826 MySQL installs a 'local system' not 'network service'
Submitted: 19 Dec 2009 14:02 Modified: 21 Dec 2009 12:51
Reporter: Peter Laursen (Basic Quality Contributor) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: General Severity:S3 (Non-critical)
Version:any OS:Microsoft Windows (any)
Assigned to: CPU Architecture:Any
Tags: qc

[19 Dec 2009 14:02] Peter Laursen
Description:
Registry after installing MySQL reads

"ObjectName"="LocalSystem"

I believe it should be 

"ObjectName"="NetworkService"

This is our own conclusion with those of our own programs that are server programs after attending Microsoft seminars on 'Windows security' and 'Win7 compability'.

The MS people there claimed that running a service as "LocalSystem" is a potential security hole (but probably not a big one).

How to repeat:
Don't ask me more details!

Suggested fix:
Some more research will probably be required.
[19 Dec 2009 17:50] MySQL Verification Team
Thank you for the bug report. Could you please point us the Microsoft Documentation where that is mentioned. BTW below you can see a MySQL service called mysqld51 and the service of SQL Server 2005 installed on my machine both are actually LocalSystem:

C:\>sc qc mysqld51
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: mysqld51
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\dbs\5.1\bin\mysqld --defaults-file=c:\dbs\files\my.ini mysqld51
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : mysqld51
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\>sc qc MSSQLSERVER
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MSSQLSERVER
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMS
SQLSERVER
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : SQL Server (MSSQLSERVER)
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
[19 Dec 2009 18:05] Peter Laursen
I think I will ask the persons who actually followed that seminar to detail by beginning of next week.
[19 Dec 2009 18:22] Valeriy Kravchuk
For reference: http://msdn.microsoft.com/en-us/library/ms684190(VS.85).aspx

Oracle XE, SAP DB and most of the other services on my XP run as Local System. Although SQL Server Express edition runs as Network Service.
[19 Dec 2009 19:57] Peter Laursen
About LocalSystem: "Most services do not need such a high privilege level. If your service does not need these privileges, and it is not an interactive service, consider using the LocalService account or the NetworkService account. For more information, see Service Security and Access Rights."

Isn't it for same reason that mysqld does not run as 'root' on Unix? And this is even worse as NT_AUTHORITY user does not even have a password.

However there may be a problem with 'named pipes' and 'Network service'.  I was not able to find details about this by following links in Valeriy's post. But even if 'named pipes' require 'Local System' account it should be optional at least.  Practically nobody use 'named pipes' with MySQL anyway (and as SQL Server Express does not require it, I believe it is likely not a problem).

But still I'll ask my colleague Sayan if he can provide details of scenarios where the (by MS people) claimed security risk 'materializes' into an actual threat.
[21 Dec 2009 2:00] Roel Van de Paar
As far as MSSQL goes:
'Selecting an Account for the SQL Server Agent Service'
'The Local System account option is provided for backward compatibility only. The Local System account has permissions that SQL Server Agent does not require. Avoid running SQL Server Agent as the Local System account.'
http://msdn.microsoft.com/en-us/library/ms191543.aspx

Microsoft Points out the same in connection with other software like IE6:
'The LocalSystem account has access to almost all resources on the operating system, and therefore creates serious security implications. You should avoid using the LocalSystem account when possible. If it is absolutely necessary to use the LocalSystem account on an application, run that application in a new application pool in its own virtual directory so you can reduce the attack surface by isolating the application. As an alternative, and if your application needs permission to use the Trusted Computing Base (TCB), run the application as a configurable identity and assign the TCB permission to the configurable identity. This alternative, however, still presents a security risk because the TCB permission is very powerful.'
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/bd42b731-b1a9-4...

Other interesting link:
http://social.msdn.microsoft.com/Forums/en/sqlsecurity/thread/be49f504-2bae-4df1-8f6b-42a7...
[21 Dec 2009 2:02] Roel Van de Paar
s/IE6/IIS 6.0/
[21 Dec 2009 9:12] Peter Laursen
I understand from Roel's links that "Network Service" is only available from WinXP/2003.  Current implementation was probably designed for NT4/Win2K and not reviewed after that?
[21 Dec 2009 10:54] Peter Laursen
I discussed with Sayan. He has nothing to add as links to the Microsoft pages are now already here.

The ultimate threat would like be if some malicious program has the luck to 'masquerade' itself as the MySQL server.

I believe "Network Service" should be default user for MySQL on Win-XP and higher.  Additionally the "mysqld --install .." syntax could provide an additional parameter for specifying the user and the Installer could provide similar option. We checked and MySQL works fine as a "Network Service" program.
[21 Dec 2009 11:44] Valeriy Kravchuk
So, we can speak about reasonable feature request here, "Provide options to install MySQL as 'network service' on Windowx XP and newer versions".
[21 Dec 2009 12:51] Peter Laursen
I still think "Network Service" should be default and anything else 'an option'. 

However it seems that a when installing as "Network Service" permission to access and listen on ports must be set explicitly by installation routines.
[21 Dec 2009 23:54] Omer Barnir
triage: setting tag to CHECKED (FR) - should be considered sooner rather then later.
Note: This also requires a server change as well (cat server:General) - Joro Lead