Ubuntu
mysql-dfsg-5.1 package

mysql user has home directory writable by mysqld

Bug #293258 reported by Domas Mituzas on 2008-11-03

262

Affects

Status

Importance

Assigned to

Milestone

mysql-dfsg-5.1 (Ubuntu)

Fix Released

Medium

Unassigned

You need to log in to change this bug's status.

Affecting:	mysql-dfsg-5.1 (Ubuntu)
Filed here by:	Domas Mituzas
When:	2008-11-03
Confirmed:	2009-03-24
Started work:	2010-05-25
Completed:	2010-05-25

Target

Distribution
Package	(Find…)
Project	(Find…)

Status	Importance
	Medium

Assigned to

	Nobody
	Me

Comment on this change (optional)

Email me about changes to this bug report

(?)

Bug Description

Binary package hint: mysql-server-5.0

It is quite serious no-no of having valid writeable home directory for MySQL - anyone with FILE privilege can create files in ~mysql, thus allowing to do .rhost-like (.profile, .forward, .plan ;-) attacks on a system.

Fortunately, MySQL does not allow creating databases (directories) with a dot, so immediate access to ssh directory is not possible, though clever attacker can find ways.. (and even without any shell one can do port forwarding).

There is no need whatsoever for MySQL user to have a 'home directory' - the 'data directory' should be separate from any unix user context.

Add tags Tag help

Related branches

lp:ubuntu/maverick/mysql-dfsg-5.1

lp:ubuntu/maverick/mysql-5.1

lp:ubuntu/natty/mysql-5.1

lp:ubuntu/oneiric/mysql-5.1

Kees Cook (kees) on 2009-01-24

Changed in mysql-dfsg-5.0:
status:	New → Confirmed

Domas Mituzas (domas-mituzas) wrote on 2009-03-23:

resetting back to new, maybe I failed something

Changed in mysql-dfsg-5.0:
status:	Confirmed → New

Chuck Short (zulcss) wrote on 2009-03-23:

Which version are you using?

Regards
chuck

Changed in mysql-dfsg-5.0 (Ubuntu):
status:	New → Incomplete

Domas Mituzas (domas-mituzas) wrote on 2009-03-23:

intrepid, seems to be same in lenny, hardy, etc.

Andreas Olsson (andol) wrote on 2009-03-24:

I can confirm that the writable data directory (/var/lib/mysql) is also the default mysql system home directory in at least Hardy (mysql-server 5.0.51a-3ubuntu5.4), Intrepid (mysql-server 5.0.67-0ubuntu6) and Jaunty (mysql-server 5.1.30really5.0.75-0ubuntu8).

Kees Cook (kees) on 2009-03-24

Changed in mysql-dfsg-5.0 (Ubuntu):
status:	Incomplete → Confirmed

Mathias Gug (mathiaz) on 2009-03-30

Changed in mysql-dfsg-5.0:
importance:	Undecided → Medium

Chuck Short (zulcss) on 2010-04-22

affects:

mysql-dfsg-5.0 (Ubuntu) → mysql-dfsg-5.1 (Ubuntu)

Launchpad Janitor (janitor) wrote on 2010-05-25:

This bug was fixed in the package mysql-dfsg-5.1 - 5.1.43-1ubuntu2

---------------
mysql-dfsg-5.1 (5.1.43-1ubuntu2) maverick; urgency=low

  [Marc Deslauriers]
  * debian/mysql-server-5.0.preinst: Set mysql user's home directory
    to /nonexistent to protect against having the /var/lib/mysql
    user-writeable. If an attacker can trick mysqld into creating
    dot files in the home directory, he could do .rhost-like attacks
    on the system. (LP: #293258)

  [Chuck Short]
  * debian/mysql-server-5.1.mysql.upstart: Dont wait forever for a ping from
    the mysql server. It might not be configured properly. (LP: #551097)
-- Chuck Short <email address hidden> Thu, 20 May 2010 15:35:48 -0400

Changed in mysql-dfsg-5.1 (Ubuntu):
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information Edit

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Ubuntumysql-dfsg-5.1 package

mysql user has home directory writable by mysqld

Bug Description

Related branches

Other bug subscribers

Ubuntu
mysql-dfsg-5.1 package