Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-10465

general_log_file can be abused

Details

    • Bug
    • Status: Closed (View Workflow)
    • Blocker
    • Resolution: Fixed
    • 5.5(EOL), 10.0(EOL), 10.1(EOL)
    • 5.5.51, 10.1.17, 10.0.27
    • OTHER
    • None
    • 5.5.51 & 10.2.2

    Description

      Earlier MySQL used to read my.cnf from three locations, in that order:

      • /etc
      • datadir
      • $HOME/.my.cnf

      The second is particularly unsafe, because datadir is writable by the mysqld server, and a user that can connect to MySQL can create my.cnf in the datadir using SELECT ... OUTFILE. Over time various safety mechanisms were implemented:

      • mysqld no longer reads my.cnf in the datadir. Still, mysqld_safe.sh does and forces the server to, so if the server is started via mysqld_safe.sh, my.cnf in the datadir is still used.
      • --secure-file-priv command-line option limits SELECT ... OUTFILE to the specified directory, it's recommended to set it outside of datadir
      • SELECT ... OUTFILE creates files that are world-writable and mysqld refuses to read my.cnf if it is world-writable.

      But as was recently discovered by Dawid Golunski, one can abuse @@general_log_file variable to create a my.cnf in the datadir, and it will be not created world-writable, so the both mysqld_safe and mysqld will read it on startup.

      Attachments

        Issue Links

          links to

          Web Link Advisory

          Activity

            People

              serg Sergei Golubchik
              serg Sergei Golubchik
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.