Bug #93996 Login Path File (mylogin.cnf) Permissions Not Assigned or Assessed on Windows
Submitted: 21 Jan 2019 21:12 Modified: 28 Aug 2019 12:53
Reporter: Adam Russell Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Windows Severity:S3 (Non-critical)
Version:5.7.25 and 8.0.13 OS:Microsoft Windows (Windows 10 Professional Version 1803 Build 10.0.17134.523)
Assigned to: CPU Architecture:x86
Tags: mylogin.cnf, mysql_config_editor, windows

[21 Jan 2019 21:12] Adam Russell 
Description:
This is an excerpt from the online documentation for 'mysql_config_editor' (https://dev.mysql.com/doc/refman/8.0/en/mysql-config-editor.html): 
"The login path file must be readable and writable to the current user, and inaccessible to other users. Otherwise, mysql_config_editor ignores it, and client programs do not use it, either."

How to repeat:
I conducted the following test on Ubuntu 16.04 LTS running MySQL Ver 14.14 Distrib 5.7.24. 
The outcome was in accordance with the excerpt above.
  1. Created a 'mylogin.cnf' file: mysql_config_editor set --user=foobar --password
  2. Ran a backup: mysqldump --all-databases -r dump.txt
     The backup ran OK.
  3. Obtained the permissions of mylogin.cnf: stat -c '%A %a %n' .mylogin.cnf
     -rw------- 600 .mylogin.cnf
  4. Changed the file permissions as follows: chmod 750 .mylogin.cnf
  5. Obtained the permissions of mylogin.cnf: stat -c '%A %a %n' .mylogin.cnf
     -rwxr-x--- 750 .mylogin.cnf
  6. Ran a backup: mysqldump --all-databases -r dump.txt
     Resulted in the following error (the expected behaviour): 
      mysqldump: [Warning] /home/thecliguy/.mylogin.cnf should be readable/writable only by current user.
      mysqldump: Got error: 1045: Access denied for user 'thecliguy'@'localhost' (using password: NO) when trying to connect

      
I then conducted equivalent tests on Windows 10 Professional Version 1803 Build 10.0.17134.523.
I started by testing MySQL Ver 14.14 Distrib 5.7.25 and then repeated the tests on MySQL Ver 8.0.13.
  1. Created a non-admin Windows account: net user user1 * /add
  2. Logged on to Windows as 'user1'.
  3. Created a 'mylogin.cnf' file: mysql_config_editor set --user=foobar --password
  4. Ran a backup: mysqldump --all-databases -r C:\bitbucket\dump.txt
     The backup ran OK.
  5. Obtained the permissions of mylogin.cnf using: icacls C:\Users\user1\AppData\Roaming\MySQL\.mylogin.cnf
     The permissions are just the defaults inherited from 'C:\Users\user1'.
  
          Type   Principal       Access        Inherited from
          ----   ---------       ------        --------------
          Allow  SYSTEM          Full control  C:\Users\user1
          Allow  Administrators  Full control  C:\Users\user1
          Allow  user1           Full control  C:\Users\user1
  	  
  6. Changed the file permissions by granting everyone full access of 'C:\Users\user1':
        icacls "C:\Users\user1" /grant everyone:(OI)(CI)(F)

  7. Obtained the permissions of mylogin.cnf: icacls C:\Users\user1\AppData\Roaming\MySQL\.mylogin.cnf:
          Type   Principal       Access        Inherited from
          ----   ---------       ------        --------------
          Allow  Everyone        Full control  C:\Users\user1
          Allow  SYSTEM          Full control  C:\Users\user1
          Allow  Administrators  Full control  C:\Users\user1
          Allow  user1           Full control  C:\Users\user1

  8. Ran a backup: mysqldump --all-databases -r c:\bitbucket\dump.txt
     The backup worked fine despite granting All Users full control.

Suggested fix:
As demonstrated, the excerpt from the documentation regarding file permissions on '.mylogin.cnf' is not being enforced on Windows. I appreciate that permissions are implemented very differently in Windows and *nix, but the documentation does not state that it applies only to *nix.

Therefore either the equivalent standards should be adhered to on Windows or the documentation should be revised stating that it is only applicable to *nix.

Any feedback welcome.
[21 Jan 2019 21:23] Adam Russell 
A minor correction, the output of permissions on Windows 10 (points 5 and 7) were not obtained using icacls.
I obtained them from the Windows explorer UI as the icacls output is rather hard to comprehend.
[28 Aug 2019 12:53] MySQL Verification Team 
Hi,

Thanks for the report. Verified.
[27 Feb 20:39] Will Belden 
Have completely run into this today on Windows 10, MySQL Ver 8.0.21 for Win64 on x86_64 (MySQL Community Server - GPL)

Was automating a remote backup, to local, and restore locally.

Using full mysql.exe command line, complete with --user= and --password= worked fine.  Tired of the "using a password on the command line is insecure" message, I flipped to using the mysql_config_editor to store the remote and local profiles.  With simple alphanumeric passwords only, I tried with quotes and without quotes over and over.  Access denied EVERY TIME.  It simply doesn't work as expected.