[#MDEV-25179] wsrep_provider and wsrep_notify_cmd system variables are writable

[MDEV-25179] wsrep_provider and wsrep_notify_cmd system variables are writable Created: 2021-03-17 Updated: 2021-03-17 Resolved: 2021-03-17
Status:	Closed
Project:	MariaDB Server
Component/s:	wsrep
Affects Version/s:	10.2, 10.3, 10.4, 10.5
Fix Version/s:	10.2.37, 10.3.28, 10.4.18, 10.5.9

Type:

Bug

Priority:

Blocker

Reporter:

Sergei Golubchik

Assignee:

Sergei Golubchik

Resolution:

Fixed

Votes:

Labels:

None

Description

System variables wsrep_provider and wsrep_notify_cmd system can be modified at run time by a database user with SUPER privileges.

The first variable takes a path to the .so library that the server will try to dlopen(). The second takes a path to the shell script that the server will execute. Having them writable allows a database user with SUPER privilege to execute arbitrary code as the system mysql user.

It seems that there is little (or no) practical use case for having these variables being modified at run-time, it's only ever used in tests. That is making them read-only would be an easy and safe fix for the above issues, at the cost of slightly more complex test scripts.

Generated at Thu Feb 08 09:35:44 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-25179] wsrep_provider and wsrep_notify_cmd system variables are writable Created: 2021-03-17 Updated: 2021-03-17 Resolved: 2021-03-17