Bug #59156 A non-privileged user may shut down the server
Submitted: 24 Dec 2010 13:52 Modified: 24 Dec 2010 19:38
Reporter: Peter Laursen (Basic Quality Contributor) Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:any OS:Any
Assigned to: CPU Architecture:Any
Tags: qc

[24 Dec 2010 13:52] Peter Laursen 
Description:
http://dev.mysql.com/doc/refman/5.1/en/check-table.html

"If CHECK TABLE finds a problem for an InnoDB table, the server shuts down to prevent error propagation. Details of the error will be written to the error log."

How to repeat:
SHOW GRANTS;
/*
Grants for peter@localhost                                               
-------------------------------------------------------------------------
GRANT SELECT, SHOW DATABASES ON *.* TO 'peter'@'localhost'               
GRANT ALL PRIVILEGES ON `test`.* TO 'peter'@'localhost' WITH GRANT OPTION
*/

USE test;
CHECK TABLE t1;
/*
Table    Op      Msg_type  Msg_text
-------  ------  --------  --------
test.t1  check   status    OK      
*/

Suggested fix:
Not sure.  Basically I think MySQL itself misses alerting instrumentation to handle this properly.  And the chance of InnoDB courruption is very small I know.  

But still I find it problematic that a non-privileged user can shout down the server (if docs are correct - I cannot tell as i do not have a corrupted InnoDB table!).  It contradicts statements elsewhere that to shut down the server you will need
1) either MySQL "SUPER" privilege
2) or sufficient OS-level privilege.

I think 
1) the shutdown should only occur for users having SUPER privilege.
2) further/and/or the shutdown should be optional

or
3) CHECK TABLE should be restricted to SUPER users and/or users having (for instance) UPDATE privilege to the table.
[24 Dec 2010 13:58] MySQL Verification Team 
how is it different to a normal user running a query that crashes the server?
also, it isn't that easy to corrupt an innodb table on purpose :)
[24 Dec 2010 14:14] Peter Laursen 
@Shane .. 

If a query crashes the server I think we agree that then it is a server bug? The server should not crash under any circumstance. But do you now think that is is OK that a user can crash the server?  Of course you don't .. so this point of yours is not valid in my understanding. Besides this is not a crash referred to.  It is a graceful shutdown that happens. 

I know it is difficult to corrupt an InnoDB table. But if a user know how to corrupt a table he will also be able to shut down the server simply by executing CHECK TABLE on it (according to docs). This is DOS.
[24 Dec 2010 14:24] Peter Laursen 
Additionally this GRANT is enough (a pasting error actually):

SHOW GRANTS;
/*
Grants for peter@localhost                                               
-------------------------------------------------------------------------
GRANT SELECT, SHOW DATABASES ON *.* TO 'peter'@'localhost'
*/
[24 Dec 2010 15:03] MySQL Verification Team 
Is this perhaps a duplicate of bug #10132 :) ?
[24 Dec 2010 15:30] Peter Laursen 
For me it is not the same.  What I am referring to is (as I understand docs) an intentional and graceful shutdown - the other one is described as a *crash*.  But I don't know InnoDB internals so the 'underlying reason' could be same/similar.
[24 Dec 2010 19:15] Sveta Smirnova 
Thank you for the feedback.

I'd say this is same as bug #10132: intended shutdown happen in that bug too, James just uses another word.
[24 Dec 2010 19:33] James Day 
Peter, except for bugs it's not possible for an unprivileged or privileged user to deliberately cause a checksum failure or other corruption without direct access to the files or RAM from within the operating system. Someone who has that direct access is authorised to have that access, so while they are abusing their privilege, it's not a privilege escalation.

Corrupt tables aren't a privilege escalation problem within the MySQL server unless it's possible to deliberately cause the corruption using methods provided by MySQL, not going behind its back and changing things with the operating system tools. If there was a way to do that from within MySQL then it would be a privilege escalation if it was used to shut down the server. But that's not the major problem with such a bug, the corruption is. And it's the way to cause corruption deliberately that we'd need to fix.

Your report is a duplicate of bug #10132. What I described there as a crash - a signal - is what the documentation you've linked to describes as deliberately shutting down the server. That bug is the same situation you're discussing: a checksum or other damage within an InnoDB table that causes a shutdown instead of marking as a damaged table. The damage is there and the shut down symptom can be caused by anything that accesses the damaged page. That can be CHECK TABLE or it can be a SELECT. Same result. I'm marking this as a duplicate.
[24 Dec 2010 19:34] James Day 
Beaten to it by Sveta. She's right.
[24 Dec 2010 19:36] Peter Laursen 
No problem! I do not really understand #10132, so if you all agree that this is a duplicate, I have no problems with that classification!
[24 Dec 2010 19:38] Peter Laursen 
.. only the Docs don't 'admit' that the shutdown is due to a bug. It is described as an 'intentional' and 'graceful' behavior.
[24 Dec 2010 19:52] James Day 
That's because it's rare for it to be a bug. Disk corruption is the normal cause. Sometimes corruption on the way from the disk instead of on the disk itself. The decision to shut down the server was intentional.
[24 Dec 2010 22:13] MySQL Verification Team 
Peter, there are other cases that I believe InnoDB does do wrong, see bug #56400 for that...