Bug 553652
Summary: | mysql: use skip-symbolic-links by default | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tomas Hoger <thoger> | |
Component: | mysql | Assignee: | Tom Lane <tgl> | |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | rawhide | CC: | hhorak, matt, tgl | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 553653 (view as bug list) | Environment: | ||
Last Closed: | 2010-01-08 15:59:51 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 553653 |
Description
Tomas Hoger
2010-01-08 14:55:48 UTC
I don't think comment #0 adequately describes the severity of the problems with DATA DIRECTORY and INDEX DIRECTORY. Any DB user with create table privileges can get the mysql server to operate on any path outside the data dir, subject to file permissions. It may even be possible to defeat the check against the data dir by exploiting the races in realpath with the technique from http://www.eecs.berkeley.edu/~daw/papers/races-usenix05.pdf . The server is a deputy waiting to be confused. A table created with DATA DIRECTORY (likewise INDEX DIRECTORY) is vulnerable to an attacker who has create/drop table and shell access and knows the database and table name. He does not need to know the victim's DATA DIRECTORY; he simply makes a symlink to the symlink at /var/lib/mysql/db/table.MYD, and the server will call realpath, follow both symlinks, and accept the final path because it is outside the data dir. Thus, DATA DIRECTORY is only useful on systems with empowered untrusted users if the table name (or the database name if the data dir is not world-readable) is randomized. And then the application had better not leak SQL error messages containing the table name to those users. Users with create table access but no shell access can still probe the existence of files and directories by looking at the errnos returned by CREATE TABLE. That probably wasn't what the admin intended by not giving them shell access. So thanks for setting skip-symbolic-links by default in rawhide. I just set it on my F12 system. I presume comment #1 is not a request to change or enhance the fix that was applied in response to this bug report. Btw, upstream position on the DATA/INDEX DIRECTORY issues: http://bugs.mysql.com/bug.php?id=39277#c296884 (In reply to comment #2) > I presume comment #1 is not a request to change or enhance the fix that was > applied in response to this bug report. Correct. > Btw, upstream position on the DATA/INDEX DIRECTORY issues: > http://bugs.mysql.com/bug.php?id=39277#c296884 IMO, that's preposterous. The root cause of the vulnerability is the MySQL server accessing arbitrary paths on behalf of untrusted users. If that is indeed upstream's position, it is inconsistent with the security advice section of the manual, which makes no mention of any assumption that untrusted users do not have access to the server filesystem and, on the contrary, recommends setting skip-symbolic-links: http://dev.mysql.com/doc/refman/5.1/en/security-against-attack.html What would be the appropriate forum in which to browbeat upstream about this? I put together a new DATA/INDEX DIRECTORY attack that exploits the race in the use of realpath(3). It is entered upstream at: http://bugs.mysql.com/bug.php?id=53748 |