Re: MySQL user can be changed to root

Guido A.J. Stevens writes:
>
> I can confirm this privilege escalation in mysql-server 3.23.49-8.2
> (debian/stable on linux/i386). Any mysql user with file privileges can trick
> the mysql server into running as root on restart of the mysql subsystem.
>
> Note that mysql prevents you from reading non-world-readable files outside
> the mysql data directory, or overwriting existing files. You can create new
> files as root, though.
>
> mysql> load data infile '/etc/shadow' into table readtext;
> ERROR 1085: The file '/etc/shadow' must be in the database directory or be
> readable by all
> mysql> select * into outfile '/etc/somenewfile' from hack;
> Query OK, 2 rows affected (0.00 sec)
>
> -rw-rw-rw- 1 root root 19 Mar 10 17:22 /etc/somenewfile
>
> Not a rootshell, yet, but lots of new avenues from here.
>
> :*CU#
>

Hi!

Yes, the user with FILE behaviour can create a file in the above
described manner.

That is what FILE permission is all about.

But as our manual mentions in so many places, and as our standard
scripts are desinged and build, mysql server should NEVER be run as
user root. That is why we introduced user mysql who has privileges
only over datadir directory.

So, the above exploit, is not our fault, but fault of the system
administrator.

--
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Mr. Sinisa Milivojevic
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, Fulltime Developer
/_/ /_/\_, /___/\___\_\___/ Larnaca, Cyprus
<___/ www.mysql.com

Join MySQL Users Conference and Expo:
http://www.mysql.com/events/uc2003/


------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)

To request this thread, e-mail bugs-thread13933@lists.mysql.com
To unsubscribe, e-mail