Details
-
Bug
-
Status: Closed (View Workflow)
-
Blocker
-
Resolution: Fixed
-
5.5(EOL), 10.0(EOL), 10.1(EOL)
-
None
-
5.5.51 & 10.2.2
Description
Earlier MySQL used to read my.cnf from three locations, in that order:
- /etc
- datadir
- $HOME/.my.cnf
The second is particularly unsafe, because datadir is writable by the mysqld server, and a user that can connect to MySQL can create my.cnf in the datadir using SELECT ... OUTFILE. Over time various safety mechanisms were implemented:
- mysqld no longer reads my.cnf in the datadir. Still, mysqld_safe.sh does and forces the server to, so if the server is started via mysqld_safe.sh, my.cnf in the datadir is still used.
- --secure-file-priv command-line option limits SELECT ... OUTFILE to the specified directory, it's recommended to set it outside of datadir
- SELECT ... OUTFILE creates files that are world-writable and mysqld refuses to read my.cnf if it is world-writable.
But as was recently discovered by Dawid Golunski, one can abuse @@general_log_file variable to create a my.cnf in the datadir, and it will be not created world-writable, so the both mysqld_safe and mysqld will read it on startup.
Attachments
Issue Links
- links to
Activity
| Field | Original Value | New Value |
|---|---|---|
| Summary | logs | general_log_file can be abused |
| Sprint | 5.51 & 10.2 [ 85 ] |
| Rank | Ranked higher |
| Status | Open [ 1 ] | In Progress [ 3 ] |
| Fix Version/s | 5.5.51 [ 22015 ] | |
| Fix Version/s | 10.0.27 [ 22017 ] | |
| Fix Version/s | 10.1.17 [ 22102 ] | |
| Fix Version/s | 5.5 [ 15800 ] | |
| Fix Version/s | 10.0 [ 16000 ] | |
| Fix Version/s | 10.1 [ 16100 ] | |
| Resolution | Fixed [ 1 ] | |
| Status | In Progress [ 3 ] | Closed [ 6 ] |
| Description |
Earlier MySQL used to read {{my.cnf}} from three locations, in that order:
* {{/etc}} * datadir * {{$HOME/.my.cnf}} The second is particularly unsafe, because datadir is writable by the {{mysqld}} server, and a user that can connect to MySQL can create {{my.cnf}} in the datadir using {{SELECT ... OUTFILE}}. Over time various safety mechanisms were implemented: * {{mysqld}} no longer reads {{my.cnf}} in the datadir. Still, {{mysqld_safe.sh}} does and forces the server to, so if the server is started via {{mysqld_safe.sh}}, {{my.cnf}} in the datadir is still used. * {{--secure-file-priv}} command-line option limits {{SELECT ... OUTFILE}} to the specified directory, it's recommended to set it outside of datadir * {{SELECT ... OUTFILE}} creates files that are world-writable and {{mysqld}} refuses to read {{my.cnf}} if it is world-writable. But as was recently discovered by [Dawid Golunski|http://legalhackers.com], one can abuse {{@@general_log_file}} variable to create a {{my.cnf}} in the datadir, and it will be not created world-writable, so the both {{mysqld_safe}} and {{mysqld}} will read it on startup. |
| Remote Link | This issue links to "Advisory (Web Link)" [ 27500 ] |
| Workflow | MariaDB v3 [ 76531 ] | MariaDB v4 [ 150687 ] |
CVE-2016-6662