[MDEV-10465] general_log_file can be abused - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 5.5(EOL), 10.0(EOL), 10.1(EOL)
Fix Version/s: 5.5.51, 10.1.17, 10.0.27
Component/s: OTHER
Labels:
None

Sprint:
5.5.51 & 10.2.2

Description

Earlier MySQL used to read my.cnf from three locations, in that order:

/etc
datadir
$HOME/.my.cnf

The second is particularly unsafe, because datadir is writable by the mysqld server, and a user that can connect to MySQL can create my.cnf in the datadir using SELECT ... OUTFILE. Over time various safety mechanisms were implemented:

mysqld no longer reads my.cnf in the datadir. Still, mysqld_safe.sh does and forces the server to, so if the server is started via mysqld_safe.sh, my.cnf in the datadir is still used.
--secure-file-priv command-line option limits SELECT ... OUTFILE to the specified directory, it's recommended to set it outside of datadir
SELECT ... OUTFILE creates files that are world-writable and mysqld refuses to read my.cnf if it is world-writable.

But as was recently discovered by Dawid Golunski, one can abuse @@general_log_file variable to create a my.cnf in the datadir, and it will be not created world-writable, so the both mysqld_safe and mysqld will read it on startup.

Attachments

Issue Links

links to

Advisory

Activity

Transition	Time In Source Status	Execution Times

Sergei Golubchik made transition - 2016-08-03 11:29

Open

In Progress

3d 1h 13m

Sergei Golubchik made transition - 2016-08-04 09:04

In Progress

Closed

21h 34m

People

Assignee:: Sergei Golubchik

Reporter:: Sergei Golubchik

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2016-07-31 10:15

Updated:: 2016-09-12 10:28

Resolved:: 2016-08-04 09:04

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server