[#MDEV-10465] general_log_file can be abused

[MDEV-10465] general_log_file can be abused Created: 2016-07-31 Updated: 2016-09-12 Resolved: 2016-08-04
Status:	Closed
Project:	MariaDB Server
Component/s:	OTHER
Affects Version/s:	5.5, 10.0, 10.1
Fix Version/s:	5.5.51, 10.1.17, 10.0.27

Type:

Bug

Priority:

Blocker

Reporter:

Sergei Golubchik

Assignee:

Sergei Golubchik

Resolution:

Fixed

Votes:

Labels:

None

Sprint:

5.5.51 & 10.2.2

Description

Earlier MySQL used to read my.cnf from three locations, in that order:

/etc
datadir
$HOME/.my.cnf

The second is particularly unsafe, because datadir is writable by the mysqld server, and a user that can connect to MySQL can create my.cnf in the datadir using SELECT ... OUTFILE. Over time various safety mechanisms were implemented:

mysqld no longer reads my.cnf in the datadir. Still, mysqld_safe.sh does and forces the server to, so if the server is started via mysqld_safe.sh, my.cnf in the datadir is still used.
--secure-file-priv command-line option limits SELECT ... OUTFILE to the specified directory, it's recommended to set it outside of datadir
SELECT ... OUTFILE creates files that are world-writable and mysqld refuses to read my.cnf if it is world-writable.

But as was recently discovered by Dawid Golunski, one can abuse @@general_log_file variable to create a my.cnf in the datadir, and it will be not created world-writable, so the both mysqld_safe and mysqld will read it on startup.

Comments

Comment by Sergei Golubchik [ 2016-09-12 ]

CVE-2016-6662

Generated at Thu Feb 08 07:42:26 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-10465] general_log_file can be abused Created: 2016-07-31 Updated: 2016-09-12 Resolved: 2016-08-04