Re: FW: potential vulnerability of mysqld running with root privileges

Wed, 21 Mar 2001 11:34:22 -0800 

I think that Benjamin was trying to make a point here regarding an easily reproducible 
scenario (I don't care if you wanna call it a "security flaw" or a "flying pig") under 
some conditions which are not that hard to come upon in the real world.

The problem that really comes to mind is that some people think mysql is the next big 
thing after instant coffee. Most people, probably me included, made the mysql choice 
without much thought or background search. The infering mechanism usually is 'it is 
popular'=>'it must be good'. So even more people join in, so it gets more popular...ad 
infinitum.

I only realized how many things were missing after I started using it, and I'm not 
willing to give it up because I don't really have any real-world/high-volume/critical 
application needs and there is still stuff to learn working with it. As long as I can 
play around and it doesn't crash every other day, I'm happy.

regards,
thalis


On Wed, 21 Mar 2001, Sinisa Milivojevic wrote:

> Benjamin Pflugmann writes:
>  > Hi.
> <cut> 
>  > Of course, that why I was explicitly talking about the fact, that the
>  > user needs CREATE privileges (FILE privileges are not needed, If I am
>  > not mistaken).
>  > 
>  > 
>  > 
>  > 
> 
> 
> First of all, it is easy to reproduce a test case.
> 
> Second, that FILE privilege I was citing is there because of SELECT ..
> INTO OUTFILE ... I thought that you would understand that.
> 
> Regarding shadow file, I can crack it in 15 minutes, if I had the
> interest, but I have no such interests. And I did it only on my own
> computer once 4 years ago.
> 
> A CGI script that could be talked to executing ln -s ....
> 
> That is a bit far fetched. 
> 
> Any scenario that involves  shell access (or funny CGI scripts)  or
> similar, can  not be  considered as MySQL security flaw.
> 
> Regards,
> 
> Sinisa


---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Reply via email to