innobackupex writes "stdout" and "stderr" files to cwd and leaves them behind

Reported by Ville Skyttä on 2010-12-08
30
This bug affects 6 people
Affects Status Importance Assigned to Milestone
Percona XtraBackup
Medium
Valentine Gostev
1.6
Medium
Valentine Gostev
2.0
Medium
Valentine Gostev

Bug Description

innobackupex-1.5.1 from xtrabackup-1.4-74.rhel5 writes "stdout" and "stderr" files to the current directory when backing up, and leaves them behind after backup is done.

There's nothing in innobackupex-1.5.1 --help about this, there's no documentation in the rpm, and there was not a mention about this in the release notes. Also, it seems to write to these files blindly which may result in an arbitrary file overwrite vulnerability (if these files exist and are symlinks).

I suggest using secure temporary files for these (e.g. using the File::Temp module), and cleaning them up on exit.

Changed in percona-xtrabackup:
assignee: nobody → Valentine Gostev (core-longbow)
Changed in percona-xtrabackup:
importance: Undecided → Wishlist
status: New → Confirmed
Reinier Lamers (lamers) wrote :

This also means that innobackupex can only run if it is has permissions to create and write files. With XtraBackup 1.2, this was not the case. So an upgrade to 1.6 breaks my backup script.

Changed in percona-xtrabackup:
assignee: Valentine Gostev (core-longbow) → Rodrigo Gadea (rodrigo-gadea-percona)
importance: Wishlist → Medium
Stewart Smith (stewart) on 2011-05-20
Changed in percona-xtrabackup:
status: Confirmed → Triaged
Stewart Smith (stewart) on 2011-06-12
Changed in percona-xtrabackup:
status: Triaged → In Progress
Changed in percona-xtrabackup:
assignee: Rodrigo Gadea (rodrigo-gadea-percona) → Valentine Gostev (longbow)
Stewart Smith (stewart) wrote :

should use tmpfile() instead (or similar... whatever it is currently in perl)

Ville Skyttä (vskytta) wrote :

I'd say that 'd be something from the File::Temp module.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers