Re: FW: potential vulnerability of mysqld running with root privileges
Hi, On Wed, Mar 21, 2001 at 08:39:55AM +0100, Benjamin Pflugmann wrote: Sorry to contradict, but have a look: newton:~ mysql -u root -e "select version()" +---+ | version() | +---+ | 3.23.33 | +---+ 8:26:25 newton:~ sudo -u mysql touch /tmp/test # just created a file owned by mysql-user 8:26:45 newton:~ ln -sf /tmp/test /tmp/yikes.MYI 8:26:54 newton:~ ls -l /tmp [...] -rw-r--r--1 mysqlmysql 0 Mar 21 08:26 test lrwxrwxrwx1 philemon philemon9 Mar 21 08:28 yikes.MYI - /tmp/test 8:26:57 newton:~ mysql ../../../../tmp -e "create table yikes(w int(4))" The problem in my opinion is allowing full pathnames in the database name, regardless of symbolic links. If someone can write to your database directory, you're in trouble anyway. To do the above (without symlinks), you will need to have MySQL root privileges. When I do it as non-privileged user, I get: user@host:~$ /opt/mysql-3.23/bin/mysql -u joe -p -e 'create table testy (id int)' ../../../../tmp Enter password: ERROR 1044: Access denied for user: 'radius@localhost' to database '../../../../tmp' Doing this as a MySQL privileged user (root), I get: user@host:~$ /opt/mysql-3.23/bin/mysql -u root -p -e 'create table testx (id int)' ../../../../tmp Enter password: user@host:~$ ls -l /tmp/testx* -rw-rw 1 mysqlmysql 0 Mar 22 11:25 /tmp/testx.MYD -rw-rw 1 mysqlmysql 1024 Mar 22 11:25 /tmp/testx.MYI -rw-rw 1 mysqlmysql 8550 Mar 22 11:25 /tmp/testx.frm The inconsistency is that even as MySQL root, I do get an error when doing show tables on this 'database'/directory: user@host:~$ /opt/mysql-3.23/bin/mysql -u root -p -e 'show tables' ../../../../tmp Enter password: ERROR 1102 at line 1: Incorrect database name '../../../../tmp' This is in 3.23.33 with an unrelated bugfix. MySQL should be consistent in its checking of database names and IMHO allowing full pathnames in a database name is asking for trouble. Regards, Fred. -- Fred van Engen XO Communications B.V. email: [EMAIL PROTECTED] Televisieweg 2 tel: +31 36 5462400 1322 AC Almere fax: +31 36 5462424 The Netherlands - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: FW: potential vulnerability of mysqld running with root privileges
Hi. On Tue, Mar 20, 2001 at 12:22:19PM +0100, [EMAIL PROTECTED] wrote: Hi! On Mar 20, Basil Hussain wrote: Hi all, The original message below was posted to the BugTraq mailing list. Have the developers seen this? I know it talks about version mysql-3.20.32a (which is ancient), but he mentions that it affects other versions. Anyway, I don't run my MySQL server as root, so I'm not worried. :) You shouldn't. MySQL-3.23 is not vulnerable. How did you determine that? Sorry to contradict, but have a look: newton:~ mysql -u root -e "select version()" +---+ | version() | +---+ | 3.23.33 | +---+ 8:26:25 newton:~ sudo -u mysql touch /tmp/test # just created a file owned by mysql-user 8:26:45 newton:~ ln -sf /tmp/test /tmp/yikes.MYI 8:26:54 newton:~ ls -l /tmp [...] -rw-r--r--1 mysqlmysql 0 Mar 21 08:26 test lrwxrwxrwx1 philemon philemon9 Mar 21 08:28 yikes.MYI - /tmp/test 8:26:57 newton:~ mysql ../../../../tmp -e "create table yikes(w int(4))" 8:27:02 newton:~ ls -l /tmp [...] -rw-r--r--1 mysqlmysql1024 Mar 21 08:28 test -rw-rw1 mysqlmysql 0 Mar 21 08:28 yikes.MYD lrwxrwxrwx1 philemon philemon9 Mar 21 08:28 yikes.MYI - /tmp/test -rw-rw1 mysqlmysql8548 Mar 21 08:28 yikes.frm So, I have just overwritten a file not owned by me, namely /tmp/test. If mysql was running as root (which is of couse deprecated), I could overwrite any file in the system this way and even gain root access (as shown by someone on bugtraq), I think. Did I overlook something? So, it looks to me, that at least 3.23.33 is not secure in this way (I have not compared 3.23.34 resp. 3.23.35 because for both problems were reported preventing them from use in production systems). Even without MySQL running as root, I can do a lot of harm (with privilege to create tables, I can probably gain MySQL root privileges, delete any other table, delete configs and log files and so on). Bye, Benjamin. - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: FW: potential vulnerability of mysqld running with root privileges
Hi! On Mar 21, Benjamin Pflugmann wrote: Hi. On Tue, Mar 20, 2001 at 12:22:19PM +0100, [EMAIL PROTECTED] wrote: Hi! On Mar 20, Basil Hussain wrote: Hi all, The original message below was posted to the BugTraq mailing list. Have the developers seen this? I know it talks about version mysql-3.20.32a (which is ancient), but he mentions that it affects other versions. Anyway, I don't run my MySQL server as root, so I'm not worried. :) You shouldn't. MySQL-3.23 is not vulnerable. How did you determine that? Sorry to contradict, but have a look: [...] Did I overlook something? No, it's me who overlooked something :-( Sorry for confusion... Anyway, this would be fixed asap. Regards, Sergei -- MySQL Development Team __ ___ ___ __ / |/ /_ __/ __/ __ \/ / Sergei Golubchik [EMAIL PROTECTED] / /|_/ / // /\ \/ /_/ / /__ MySQL AB, http://www.mysql.com/ /_/ /_/\_, /___/\___\_\___/ Osnabrueck, Germany ___/ - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: FW: potential vulnerability of mysqld running with root privileges
Benjamin Pflugmann writes:
Hi.
On Tue, Mar 20, 2001 at 12:22:19PM +0100, [EMAIL PROTECTED] wrote:
Hi!
On Mar 20, Basil Hussain wrote:
Hi all,
The original message below was posted to the BugTraq mailing list. Have the
developers seen this? I know it talks about version mysql-3.20.32a (which is
ancient), but he mentions that it affects other versions.
Anyway, I don't run my MySQL server as root, so I'm not worried. :)
You shouldn't.
MySQL-3.23 is not vulnerable.
How did you determine that?
Sorry to contradict, but have a look:
newton:~ mysql -u root -e "select version()"
+---+
| version() |
+---+
| 3.23.33 |
+---+
8:26:25 newton:~ sudo -u mysql touch /tmp/test # just created a file owned by
mysql-user
8:26:45 newton:~ ln -sf /tmp/test /tmp/yikes.MYI
8:26:54 newton:~ ls -l /tmp
[...]
-rw-r--r--1 mysqlmysql 0 Mar 21 08:26 test
lrwxrwxrwx1 philemon philemon9 Mar 21 08:28 yikes.MYI - /tmp/test
8:26:57 newton:~ mysql ../../../../tmp -e "create table yikes(w int(4))"
8:27:02 newton:~ ls -l /tmp
[...]
-rw-r--r--1 mysqlmysql1024 Mar 21 08:28 test
-rw-rw1 mysqlmysql 0 Mar 21 08:28 yikes.MYD
lrwxrwxrwx1 philemon philemon9 Mar 21 08:28 yikes.MYI - /tmp/test
-rw-rw1 mysqlmysql8548 Mar 21 08:28 yikes.frm
So, I have just overwritten a file not owned by me, namely /tmp/test.
If mysql was running as root (which is of couse deprecated), I could
overwrite any file in the system this way and even gain root access
(as shown by someone on bugtraq), I think.
Did I overlook something?
So, it looks to me, that at least 3.23.33 is not secure in this way (I
have not compared 3.23.34 resp. 3.23.35 because for both problems were
reported preventing them from use in production systems).
Even without MySQL running as root, I can do a lot of harm (with
privilege to create tables, I can probably gain MySQL root privileges,
delete any other table, delete configs and log files and so on).
Bye,
Benjamin.
Hi!
Running mysql as root is not safe.
Next, you had full shell access, with which you can accomplish
practically anything. Just take a look at passwd or shadow file, crack
it and you can have what ever you want.
Last but not least, there is another matter. CREATE and FILE
privileges also should not be granted lightly.
Regards,
Sinisa
__ _ _ ___ == MySQL AB
/*/\*\/\*\ /*/ \*\ /*/ \*\ |*| Sinisa Milivojevic
/*/ /*/ /*/ \*\_ |*| |*||*| mailto:[EMAIL PROTECTED]
/*/ /*/ /*/\*\/*/ \*\|*| |*||*| Larnaca, Cyprus
/*/ /*/ /*/\*\_/*/ \*\_/*/ |*|
/*/^^^\*\^^^
/*/ \*\Developers Team
-
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail [EMAIL PROTECTED]
To unsubscribe, e-mail [EMAIL PROTECTED]
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: FW: potential vulnerability of mysqld running with root privileges
Hi. All your arguments are irrelevant regarding my post: Sergei stated that MySQL 3.23 would not be vulnerable to the posted exploit and I proved it is (respecting the rules given in the exploit). I never argued about the impact of the exploit. To be true, I am worried about the answers we get. First, I wonder about how Sergei was not able to repeat it, when I had no problem. A test case showing that it did not work for him would have been nice (sorry, Sergei, no harm intended). Then you simply "talk away" the harm of this exploit, and ignore what was said before. All your arguments may be valid, but have nothing to do with the fact that there is an exploitable bug, regardless how many impact it has. In fact, until now, nobody from MySQL even officially acknowledged that there is a problem, except implicitly by discussing it (on the mysql-list I mean... there was an answer on bugtraq). I wrote my last mail just because I already confirmed that problem with 3.23 after I read bugtraq and therefore knew, that Sergei must have tested in a different way than me. But now I am upset about the fact, that obviously my post was not taken seriously. :-( My comments to your arguemnts follow below. Bye, Benjamin. On Wed, Mar 21, 2001 at 02:23:43PM +0200, [EMAIL PROTECTED] wrote: [...] newton:~ mysql -u root -e "select version()" +---+ | version() | +---+ | 3.23.33 | +---+ 8:26:25 newton:~ sudo -u mysql touch /tmp/test # just created a file owned by mysql-user 8:26:45 newton:~ ln -sf /tmp/test /tmp/yikes.MYI 8:26:54 newton:~ ls -l /tmp [...] -rw-r--r--1 mysqlmysql 0 Mar 21 08:26 test lrwxrwxrwx1 philemon philemon9 Mar 21 08:28 yikes.MYI - /tmp/test 8:26:57 newton:~ mysql ../../../../tmp -e "create table yikes(w int(4))" 8:27:02 newton:~ ls -l /tmp [...] -rw-r--r--1 mysqlmysql1024 Mar 21 08:28 test -rw-rw1 mysqlmysql 0 Mar 21 08:28 yikes.MYD lrwxrwxrwx1 philemon philemon9 Mar 21 08:28 yikes.MYI - /tmp/test -rw-rw1 mysqlmysql8548 Mar 21 08:28 yikes.frm So, I have just overwritten a file not owned by me, namely /tmp/test. If mysql was running as root (which is of couse deprecated), I could overwrite any file in the system this way and even gain root access (as shown by someone on bugtraq), I think. Did I overlook something? So, it looks to me, that at least 3.23.33 is not secure in this way (I have not compared 3.23.34 resp. 3.23.35 because for both problems were reported preventing them from use in production systems). Even without MySQL running as root, I can do a lot of harm (with privilege to create tables, I can probably gain MySQL root privileges, delete any other table, delete configs and log files and so on). Running mysql as root is not safe. I did not presume running mysql as root. See above: The files are owned by user 'mysql'. And I even explained which harm one can do with only getting mysql-user rights. Next, you had full shell access, with which you can accomplish practically anything. Huh? That's new to me. I agree, that someone in the know almost always can find some way to gain root privileges if shell access is granted, but it is far more difficult than the two-liner above, which each script kiddie can use. You don't really want to compare that, do you? Btw, I don't need full shell access. I only need the possibility to create a link, for example a buggy CGI-script with www privileges which I can talk to executing ln -s /... This way two "harmless" bugs become a serious one. Just take a look at passwd or shadow file, crack it and you can have what ever you want. Well, the wit about shadow file is that it is *not* world readable. I always thought, that's what it's made for. In other words: on a properly secured system, it's not impossible, but a lot more difficult to do what you are talking about. I cannot really believe that you meant that stuff as a serious explanation that the bug shown above is not harmful. Last but not least, there is another matter. CREATE and FILE privileges also should not be granted lightly. Of course, that why I was explicitly talking about the fact, that the user needs CREATE privileges (FILE privileges are not needed, If I am not mistaken). - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: FW: potential vulnerability of mysqld running with root privileges
Benjamin Pflugmann writes:
Hi.
cut
Of course, that why I was explicitly talking about the fact, that the
user needs CREATE privileges (FILE privileges are not needed, If I am
not mistaken).
First of all, it is easy to reproduce a test case.
Second, that FILE privilege I was citing is there because of SELECT ..
INTO OUTFILE ... I thought that you would understand that.
Regarding shadow file, I can crack it in 15 minutes, if I had the
interest, but I have no such interests. And I did it only on my own
computer once 4 years ago.
A CGI script that could be talked to executing ln -s
That is a bit far fetched.
Any scenario that involves shell access (or funny CGI scripts) or
similar, can not be considered as MySQL security flaw.
Regards,
Sinisa
__ _ _ ___ == MySQL AB
/*/\*\/\*\ /*/ \*\ /*/ \*\ |*| Sinisa Milivojevic
/*/ /*/ /*/ \*\_ |*| |*||*| mailto:[EMAIL PROTECTED]
/*/ /*/ /*/\*\/*/ \*\|*| |*||*| Larnaca, Cyprus
/*/ /*/ /*/\*\_/*/ \*\_/*/ |*|
/*/^^^\*\^^^
/*/ \*\Developers Team
-
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail [EMAIL PROTECTED]
To unsubscribe, e-mail [EMAIL PROTECTED]
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: FW: potential vulnerability of mysqld running with root privileges
Hi. Unfortunatly, again you don't answer to my mail, but only to a side comment I made. :-( On Wed, Mar 21, 2001 at 03:37:45PM +0200, [EMAIL PROTECTED] wrote: Benjamin Pflugmann writes: Hi. cut Of course, that why I was explicitly talking about the fact, that the user needs CREATE privileges (FILE privileges are not needed, If I am not mistaken). First of all, it is easy to reproduce a test case. Sorry, but I don't understand what you refer to. Second, that FILE privilege I was citing is there because of SELECT .. INTO OUTFILE ... I thought that you would understand that. Oh. We are getting personally? RANTSorry, that I tried to help to improve a great product./RANT Does that mean you already verified that SELECT ... INTO OUTFILE is vulnarable, too, or is this just an assumption? Regarding shadow file, I can crack it in 15 minutes, if I had the interest, but I have no such interests. Yes, I already acknowledged in a part of my mail you decided not to quote, that someone in the know will find a way. And I did it only on my own computer once 4 years ago. A CGI script that could be talked to executing ln -s That is a bit far fetched. Any scenario that involves shell access (or funny CGI scripts) or similar, can not be considered as MySQL security flaw. Well, that depends. IMO, this is a security flaw, because you can get MySQL to do something it should IMO not do. I already agreed (again, in a part of my last mail you did not quote) that there is room to argue about the probability that someone has to environment to use it. Nevertheless, you agree that this behaviour is not intended and should / will be fixed? Bye, Benjamin. - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: FW: potential vulnerability of mysqld running with root privileges
Benjamin Pflugmann writes:
Hi.
cut
I already agreed (again, in a part of my last mail you did not quote)
that there is room to argue about the probability that someone has to
environment to use it.
Nevertheless, you agree that this behaviour is not intended and should
/ will be fixed?
Bye,
Benjamin.
Can you describe precisely, what is it that you would like to see get
fixed ??
Regards,
Sinisa
__ _ _ ___ == MySQL AB
/*/\*\/\*\ /*/ \*\ /*/ \*\ |*| Sinisa Milivojevic
/*/ /*/ /*/ \*\_ |*| |*||*| mailto:[EMAIL PROTECTED]
/*/ /*/ /*/\*\/*/ \*\|*| |*||*| Larnaca, Cyprus
/*/ /*/ /*/\*\_/*/ \*\_/*/ |*|
/*/^^^\*\^^^
/*/ \*\Developers Team
-
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail [EMAIL PROTECTED]
To unsubscribe, e-mail [EMAIL PROTECTED]
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: FW: potential vulnerability of mysqld running with root privileges
Hi. On Wed, Mar 21, 2001 at 11:25:01AM +0100, [EMAIL PROTECTED] wrote: [...] The original message below was posted to the BugTraq mailing list. Have the developers seen this? I know it talks about version mysql-3.20.32a (which is ancient), but he mentions that it affects other versions. Did I overlook something? No, it's me who overlooked something :-( Sorry for confusion... No problem. Anyway, this would be fixed asap. Thank you for the clarification. Bye, Benjamin. - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: FW: potential vulnerability of mysqld running with root privileges
Hi. On Wed, Mar 21, 2001 at 02:56:42PM +0100, I wrote: [...] Nevertheless, you agree that this behaviour is not intended and should / will be fixed? Sergei (implicitly) answered this question in another mail, so you may consider this thread as closed. I expect no further answer. Bye, Benjamin. - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: FW: potential vulnerability of mysqld running with root privileges
This isn't a new bug. This was mentioned about a year ago. Besides, this isn't just a mysqld problem - it's a problem that plagues ANY TCP/IP based daemon. It's common sys admin sense NOT to run ANY daemon as root unless there is absolutely, positively NO OTHER WAY to get it to run properly. Benjamin Pflugmann [EMAIL PROTECTED] wrote: Hi. All your arguments are irrelevant regarding my post: Sergei stated that MySQL 3.23 would not be vulnerable to the posted exploit and I proved it is (respecting the rules given in the exploit). I never argued about the impact of the exploit. To be true, I am worried about the answers we get. First, I wonder about how Sergei was not able to repeat it, when I had no problem. A test case showing that it did not work for him would have been nice (sorry, Sergei, no harm intended). Then you simply "talk away" the harm of this exploit, and ignore what was said before. All your arguments may be valid, but have nothing to do with the fact that there is an exploitable bug, regardless how many impact it has. In fact, until now, nobody from MySQL even officially acknowledged that there is a problem, except implicitly by discussing it (on the mysql-list I mean... there was an answer on bugtraq). I wrote my last mail just because I already confirmed that problem with 3.23 after I read bugtraq and therefore knew, that Sergei must have tested in a different way than me. -- === "If you put three drops of poison into a 100 percent pure Java, you get - Windows. If you put a few drops of Java into Windows, you still have Windows." -- Sun Microsystems CEO, Scott McNealy __ Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/ - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: FW: potential vulnerability of mysqld running with root privileges
Benjamin Pflugmann wrote: Hi. All your arguments are irrelevant regarding my post: Sergei stated that MySQL 3.23 would not be vulnerable to the posted exploit and I proved it is (respecting the rules given in the exploit). I never argued about the impact of the exploit. To be true, I am worried about the answers we get. First, I wonder about how Sergei was not able to repeat it, when I had no problem. A test case showing that it did not work for him would have been nice (sorry, Sergei, no harm intended). Then you simply "talk away" the harm of this exploit, and ignore what was said before. All your arguments may be valid, but have nothing to do with the fact that there is an exploitable bug, regardless how many impact it has. In fact, until now, nobody from MySQL even officially acknowledged that there is a problem, except implicitly by discussing it (on the mysql-list I mean... there was an answer on bugtraq). I wrote my last mail just because I already confirmed that problem with 3.23 after I read bugtraq and therefore knew, that Sergei must have tested in a different way than me. But now I am upset about the fact, that obviously my post was not taken seriously. :-( I do not think you were not taken seriously from what I read but the example you gave was based on having access to both root and the database admin accounts. If you lose control over these accounts that you are in deep trouble. And this is not just for MySQL but for just about any DB or other software package for that matter. My comments to your arguemnts follow below. Bye, Benjamin. On Wed, Mar 21, 2001 at 02:23:43PM +0200, [EMAIL PROTECTED] wrote: [...] newton:~ mysql -u root -e "select version()" +---+ | version() | +---+ | 3.23.33 | +---+ at this point you have lost contol of your system. you are running as root and then "su" to mysql. Now you are the sysadmin for the mysql package. 8:26:25 newton:~ sudo -u mysql touch /tmp/test # just created a file owned by mysql-user 8:26:45 newton:~ ln -sf /tmp/test /tmp/yikes.MYI 8:26:54 newton:~ ls -l /tmp [...] -rw-r--r--1 mysqlmysql 0 Mar 21 08:26 test lrwxrwxrwx1 philemon philemon9 Mar 21 08:28 yikes.MYI - /tmp/test you created yikes.MYI as mysql. How is it that it is now owned by philemon? 8:26:57 newton:~ mysql ../../../../tmp -e "create table yikes(w int(4))" 8:27:02 newton:~ ls -l /tmp [...] -rw-r--r--1 mysqlmysql1024 Mar 21 08:28 test -rw-rw1 mysqlmysql 0 Mar 21 08:28 yikes.MYD lrwxrwxrwx1 philemon philemon9 Mar 21 08:28 yikes.MYI - /tmp/test -rw-rw1 mysqlmysql8548 Mar 21 08:28 yikes.frm So, I have just overwritten a file not owned by me, namely /tmp/test. If mysql was running as root (which is of couse deprecated), I could overwrite any file in the system this way and even gain root access (as shown by someone on bugtraq), I think. Did I overlook something? the point you are missing is that to do this you have to have root or administrtor access. If this is a bug the same bug exists with Oracle and Sybase. At the point when you do the "ln -s" you have lost control of your system so the problem is not MySQL's but your general system security. To put the point another way. The command rm has a bug. If I am root I can remove a file that I do not own. Admitedly it is an extreem example but the point is that if you lose control of root/admin you are in deep trouble. Now I would agree that you have a problem with MySQL if you were able to create a table that pointed to an arbitrary location from within MySQL. Also note that the /tmp/test created is owned by mysql it is not owned by root or any other arbitrary user. and is not executable or writeable by anybody but mysql. So, it looks to me, that at least 3.23.33 is not secure in this way (I have not compared 3.23.34 resp. 3.23.35 because for both problems were reported preventing them from use in production systems). Even without MySQL running as root, I can do a lot of harm (with privilege to create tables, I can probably gain MySQL root privileges, delete any other table, delete configs and log files and so on). Running mysql as root is not safe. I did not presume running mysql as root. See above: The files are owned by user 'mysql'. but you did persume to make your changes to the filesystem structure as root or at the very least as the package admin. And I even explained which harm one can do with only getting mysql-user rights. this is mysql admin rights. not regular mysql users. Next, you had full shell access, with which you can accomplish practically anything. Huh? That's new to me. I agree, that someone in the know almost always can find some way to gain root privileges if shell access is
Re: FW: potential vulnerability of mysqld running with root privileges
I think that Benjamin was trying to make a point here regarding an easily reproducible scenario (I don't care if you wanna call it a "security flaw" or a "flying pig") under some conditions which are not that hard to come upon in the real world. The problem that really comes to mind is that some people think mysql is the next big thing after instant coffee. Most people, probably me included, made the mysql choice without much thought or background search. The infering mechanism usually is 'it is popular'='it must be good'. So even more people join in, so it gets more popular...ad infinitum. I only realized how many things were missing after I started using it, and I'm not willing to give it up because I don't really have any real-world/high-volume/critical application needs and there is still stuff to learn working with it. As long as I can play around and it doesn't crash every other day, I'm happy. regards, thalis On Wed, 21 Mar 2001, Sinisa Milivojevic wrote: Benjamin Pflugmann writes: Hi. cut Of course, that why I was explicitly talking about the fact, that the user needs CREATE privileges (FILE privileges are not needed, If I am not mistaken). First of all, it is easy to reproduce a test case. Second, that FILE privilege I was citing is there because of SELECT .. INTO OUTFILE ... I thought that you would understand that. Regarding shadow file, I can crack it in 15 minutes, if I had the interest, but I have no such interests. And I did it only on my own computer once 4 years ago. A CGI script that could be talked to executing ln -s That is a bit far fetched. Any scenario that involves shell access (or funny CGI scripts) or similar, can not be considered as MySQL security flaw. Regards, Sinisa - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: FW: potential vulnerability of mysqld running with root privileges
Hi! On Mar 20, Basil Hussain wrote: Hi all, The original message below was posted to the BugTraq mailing list. Have the developers seen this? I know it talks about version mysql-3.20.32a (which is ancient), but he mentions that it affects other versions. Anyway, I don't run my MySQL server as root, so I'm not worried. :) You shouldn't. MySQL-3.23 is not vulnerable. Regards, Sergei -- MySQL Development Team __ ___ ___ __ / |/ /_ __/ __/ __ \/ / Sergei Golubchik [EMAIL PROTECTED] / /|_/ / // /\ \/ /_/ / /__ MySQL AB, http://www.mysql.com/ /_/ /_/\_, /___/\___\_\___/ Osnabrueck, Germany ___/ - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
