mysql user has home directory writable by mysqld

Bug #293258 reported by Domas Mituzas on 2008-11-03
262
Affects Status Importance Assigned to Milestone
mysql-dfsg-5.1 (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: mysql-server-5.0

It is quite serious no-no of having valid writeable home directory for MySQL - anyone with FILE privilege can create files in ~mysql, thus allowing to do .rhost-like (.profile, .forward, .plan ;-) attacks on a system.

Fortunately, MySQL does not allow creating databases (directories) with a dot, so immediate access to ssh directory is not possible, though clever attacker can find ways.. (and even without any shell one can do port forwarding).

There is no need whatsoever for MySQL user to have a 'home directory' - the 'data directory' should be separate from any unix user context.

Kees Cook (kees) on 2009-01-24
Changed in mysql-dfsg-5.0:
status: New → Confirmed
Domas Mituzas (domas-mituzas) wrote :

resetting back to new, maybe I failed something

Changed in mysql-dfsg-5.0:
status: Confirmed → New
Chuck Short (zulcss) wrote :

Which version are you using?

Regards
chuck

Changed in mysql-dfsg-5.0 (Ubuntu):
status: New → Incomplete
Domas Mituzas (domas-mituzas) wrote :

intrepid, seems to be same in lenny, hardy, etc.

Andreas Olsson (andol) wrote :

I can confirm that the writable data directory (/var/lib/mysql) is also the default mysql system home directory in at least Hardy (mysql-server 5.0.51a-3ubuntu5.4), Intrepid (mysql-server 5.0.67-0ubuntu6) and Jaunty (mysql-server 5.1.30really5.0.75-0ubuntu8).

Kees Cook (kees) on 2009-03-24
Changed in mysql-dfsg-5.0 (Ubuntu):
status: Incomplete → Confirmed
Mathias Gug (mathiaz) on 2009-03-30
Changed in mysql-dfsg-5.0:
importance: Undecided → Medium
Chuck Short (zulcss) on 2010-04-22
affects: mysql-dfsg-5.0 (Ubuntu) → mysql-dfsg-5.1 (Ubuntu)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-dfsg-5.1 - 5.1.43-1ubuntu2

---------------
mysql-dfsg-5.1 (5.1.43-1ubuntu2) maverick; urgency=low

  [Marc Deslauriers]
  * debian/mysql-server-5.0.preinst: Set mysql user's home directory
    to /nonexistent to protect against having the /var/lib/mysql
    user-writeable. If an attacker can trick mysqld into creating
    dot files in the home directory, he could do .rhost-like attacks
    on the system. (LP: #293258)

  [Chuck Short]
  * debian/mysql-server-5.1.mysql.upstart: Dont wait forever for a ping from
    the mysql server. It might not be configured properly. (LP: #551097)
 -- Chuck Short <email address hidden> Thu, 20 May 2010 15:35:48 -0400

Changed in mysql-dfsg-5.1 (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers