[MDEV-10465] general_log_file can be abused - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 5.5(EOL), 10.0(EOL), 10.1(EOL)
Fix Version/s: 5.5.51, 10.1.17, 10.0.27
Component/s: OTHER
Labels:
None

Sprint:
5.5.51 & 10.2.2

Description

Earlier MySQL used to read my.cnf from three locations, in that order:

/etc
datadir
$HOME/.my.cnf

The second is particularly unsafe, because datadir is writable by the mysqld server, and a user that can connect to MySQL can create my.cnf in the datadir using SELECT ... OUTFILE. Over time various safety mechanisms were implemented:

mysqld no longer reads my.cnf in the datadir. Still, mysqld_safe.sh does and forces the server to, so if the server is started via mysqld_safe.sh, my.cnf in the datadir is still used.
--secure-file-priv command-line option limits SELECT ... OUTFILE to the specified directory, it's recommended to set it outside of datadir
SELECT ... OUTFILE creates files that are world-writable and mysqld refuses to read my.cnf if it is world-writable.

But as was recently discovered by Dawid Golunski, one can abuse @@general_log_file variable to create a my.cnf in the datadir, and it will be not created world-writable, so the both mysqld_safe and mysqld will read it on startup.

Attachments

Issue Links

links to

Advisory

Activity

Ascending order - Click to sort in descending order

Sergei Golubchik created issue - 2016-07-31 10:15

Sergei Golubchik made changes - 2016-08-01 15:04

Field	Original Value	New Value
Summary	logs	general_log_file can be abused

Rasmus Johansson (Inactive) made changes - 2016-08-03 09:59

Sprint

5.51 & 10.2 [ 85 ]

Rasmus Johansson (Inactive) made changes - 2016-08-03 09:59

Rank

Ranked higher

Sergei Golubchik made changes - 2016-08-03 11:29

Status

Open [ 1 ]

In Progress [ 3 ]

Sergei Golubchik made changes - 2016-08-04 09:04

Fix Version/s		5.5.51 [ 22015 ]
Fix Version/s		10.0.27 [ 22017 ]
Fix Version/s		10.1.17 [ 22102 ]
Fix Version/s	5.5 [ 15800 ]
Fix Version/s	10.0 [ 16000 ]
Fix Version/s	10.1 [ 16100 ]
Resolution		Fixed [ 1 ]
Status	In Progress [ 3 ]	Closed [ 6 ]

Sergei Golubchik made changes - 2016-09-12 08:15

Description

Earlier MySQL used to read {{my.cnf}} from three locations, in that order:
* {{/etc}}
* datadir
* {{$HOME/.my.cnf}}

The second is particularly unsafe, because datadir is writable by the {{mysqld}} server, and a user that can connect to MySQL can create {{my.cnf}} in the datadir using {{SELECT ... OUTFILE}}. Over time various safety mechanisms were implemented:
* {{mysqld}} no longer reads {{my.cnf}} in the datadir. Still, {{mysqld_safe.sh}} does and forces the server to, so if the server is started via {{mysqld_safe.sh}}, {{my.cnf}} in the datadir is still used.
* {{--secure-file-priv}} command-line option limits {{SELECT ... OUTFILE}} to the specified directory, it's recommended to set it outside of datadir
* {{SELECT ... OUTFILE}} creates files that are world-writable and {{mysqld}} refuses to read {{my.cnf}} if it is world-writable.

But as was recently discovered by [Dawid Golunski|http://legalhackers.com], one can abuse {{@@general_log_file}} variable to create a {{my.cnf}} in the datadir, and it will be not created world-writable, so the both {{mysqld_safe}} and {{mysqld}} will read it on startup.

Sergei Golubchik made changes - 2016-09-12 10:28

Remote Link

This issue links to "Advisory (Web Link)" [ 27500 ]

Sergei Golubchik made changes - 2021-12-06 21:43

Workflow

MariaDB v3 [ 76531 ]

MariaDB v4 [ 150687 ]

People

Assignee:: Sergei Golubchik

Reporter:: Sergei Golubchik

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2016-07-31 10:15

Updated:: 2016-09-12 10:28

Resolved:: 2016-08-04 09:04

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration