Ubuntu
mysql-dfsg-5.1 package

[Karmic] MySQL security problem

Bug #419400 reported by Roland Hughes
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mysql-dfsg-5.1 (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

Binary package hint: mysql-server-5.1

I have a script and a data file that I have been using for years. Today, after applying the 40 or so updates KPackageKit told me I needed, and rebooting, it no longer works.

roland@logikaldesktop:~/mega_mysql$ mysql -p -e "source load_data.sql" mega_zillionare
Enter password:
ERROR 29 (HY000) at line 3 in file: 'load_data.sql': File '/home/roland/mega_mysql/drawing_data.csv' not found (Errcode: 13)

roland@logikaldesktop:~/mega_mysql$ mysql -p mega_zillionare
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.1.37-1ubuntu2 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> source load_data.sql
Query OK, 0 rows affected (0.00 sec)

Query OK, 0 rows affected (0.00 sec)

ERROR 29 (HY000): File '/home/roland/mega_mysql/drawing_data.csv' not found (Errcode: 13)

roland@logikaldesktop:~/mega_mysql$ cat load_data.sql
delete from drawing_data;
commit;
load data infile "/home/roland/mega_mysql/drawing_data.csv"
into table drawing_data
fields terminated by ','
lines terminated by '\n'
(draw_dt, no_1, no_2, no_3, no_4, no_5, mega_no);roland@logikaldesktop:~/mega_mysql$

I assume someone has been playing with security again, and there is now something which needs to be tweaked somewhere on the system. The file has world read enabled on it, so this is probably a setting which needs to be documented.

Description: Ubuntu karmic (development branch)
Release: 9.10

Revision history for this message
Roland Hughes (original-seasoned-geek) wrote :

I have fixed this problem on my own, but it points to a deeper issue.

You have to edit an apparmor config file, then reboot. Given the current shutdown problems with Karmic, that is an issue. Where is the GUI for AppArmor? OpenSuSE has one, why doesn't KUbuntu?

sudo scite /etc/apparmor.d/usr.sbin.mysqld

If you don't have SciTE installed, you probably should since it is a very good text editor and doesn't have much baggage.

At the very end of the file, before the closing brace, you need to add a line (or lines) which give mysql access to the directory trees you want to use.

  /var/run/mysqld/mysqld.sock w,
  /home/roland/** rwk,
}

You can restrict access to specific files or to any file in a tree, like I did. rwk = read write kill.

Where is the AppArmor GUI and why isn't it installed automatically if we are now using AppArmor?

Revision history for this message
Mathias Gug (mathiaz) wrote : Re: [Bug 419400] Re: [Karmic] MySQL security problem

On Wed, Aug 26, 2009 at 06:48:56PM -0000, seasoned_geek wrote:
> I have fixed this problem on my own, but it points to a deeper issue.
>
> You have to edit an apparmor config file, then reboot. Given the
> current shutdown problems with Karmic, that is an issue. Where is the
> GUI for AppArmor? OpenSuSE has one, why doesn't KUbuntu?
>
> sudo scite /etc/apparmor.d/usr.sbin.mysqld
>
> If you don't have SciTE installed, you probably should since it is a
> very good text editor and doesn't have much baggage.
>

This isn't not issue related to the mysql-server-5.1 package.

> At the very end of the file, before the closing brace, you need to add a
> line (or lines) which give mysql access to the directory trees you want
> to use.
>
> /var/run/mysqld/mysqld.sock w,
> /home/roland/** rwk,
> }
>

As you've find out you need to update the apparmor profile of mysqld as
you're not using the default mysql data directory (/var/lib/mysql).

  status wontfix

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

Changed in mysql-dfsg-5.1 (Ubuntu):
status: New → Won't Fix
Revision history for this message
Roland Hughes (original-seasoned-geek) wrote :

No!

You are NOT going to flag this as "won't fix.

This busted because of your (Ubuntu's) update. If you want to move it into AppArmor because they didn't bother to port/auto-install the GUI for maintaining AppArmor or provide any warning they were about to bust things all over, that's fine.

This is a clear and present violation of "just works"!

Forcing a user to hack an obscure file in an obscure directory where they have to previously have been an expert in the OS Kernel is NOT COOL!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.