diff options
| author | unknown <msvensson@pilot.mysql.com> | 2007-02-14 14:44:34 +0100 |
|---|---|---|
| committer | unknown <msvensson@pilot.mysql.com> | 2007-02-14 14:44:34 +0100 |
| commit | c4ae01e6f0e9055f0e541aa42a653c6ab0e24b7b (patch) | |
| tree | f44f19f58dde92ae9260a654f9d2d1be4cd163f5 /sql | |
| parent | e04d00100429373fc4575895cbd282d1289e6dbd (diff) | |
| download | mariadb-git-c4ae01e6f0e9055f0e541aa42a653c6ab0e24b7b.tar.gz | |
Bug#18628 mysql-test-run: security problem(part1)
- Implement --secure-file-priv=<dir> option that limits
"load_file", "LOAD DATA" and "SELECT .. INTO OUTFILE" to work
with files in specified dir.
- Use above option for mysqld in mysql-test-run.pl
mysql-test/mysql-test-run.pl:
Add usage of --secure-file-priv=vardir when starting mysqld
mysql-test/r/loaddata.result:
Update test result after adding test to check that secure-file-priv
works for "load data" and "load_file"
mysql-test/r/outfile.result:
Update result
mysql-test/r/query_cache.result:
Can't load from outside of vardir anymore
mysql-test/r/type_blob.result:
Can't load from outside of vardir anymore
mysql-test/t/loaddata.test:
Update test result after adding test to check that secure-file-priv
works for "load data" and "load_file"
mysql-test/t/outfile.test:
Update test result after adding test to check that secure-file-priv
works for "SELECT .. INTO OUTFILE"
mysql-test/t/query_cache.test:
Can't load from outside of vardir anymore
mysql-test/t/type_blob.test:
Can't load from outside of vardir anymore
sql/item_strfunc.cc:
Check that the path "load_file" uses for the file is within
what's specified with --secure-file-priv
sql/mysql_priv.h:
Add secure_file_priv
sql/mysqld.cc:
Add "--secure_file_priv"
sql/set_var.cc:
Add variable "secure_file_priv" to "show variables"
sql/sql_class.cc:
Check that the path "load_file" uses for the file is within
what's specified with --secure-file-priv
sql/sql_class.h:
Fix spelling error
sql/sql_load.cc:
Check that the path "load_file" uses for the file is within
what's specified with --secure-file-priv
sql/share/errmsg.txt:
Fix swedish error message for ER_OPTION_PREVENTS_STATMENT wich was hardcoded
to --skip-grant-tables
Diffstat (limited to 'sql')
| -rw-r--r-- | sql/item_strfunc.cc | 5 | ||||
| -rw-r--r-- | sql/mysql_priv.h | 1 | ||||
| -rw-r--r-- | sql/mysqld.cc | 20 | ||||
| -rw-r--r-- | sql/set_var.cc | 4 | ||||
| -rw-r--r-- | sql/share/errmsg.txt | 2 | ||||
| -rw-r--r-- | sql/sql_class.cc | 12 | ||||
| -rw-r--r-- | sql/sql_class.h | 2 | ||||
| -rw-r--r-- | sql/sql_load.cc | 9 |
8 files changed, 50 insertions, 5 deletions
diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc index f98a14d2cc6..6897ffda56a 100644 --- a/sql/item_strfunc.cc +++ b/sql/item_strfunc.cc @@ -2767,6 +2767,11 @@ String *Item_load_file::val_str(String *str) (void) fn_format(path, file_name->c_ptr(), mysql_real_data_home, "", MY_RELATIVE_PATH | MY_UNPACK_FILENAME); + /* Read only allowed from within dir specified by secure_file_priv */ + if (opt_secure_file_priv && + strncmp(opt_secure_file_priv, path, strlen(opt_secure_file_priv))) + goto err; + if (!my_stat(path, &stat_info, MYF(0))) goto err; diff --git a/sql/mysql_priv.h b/sql/mysql_priv.h index 8ffa73d1707..f27dabab832 100644 --- a/sql/mysql_priv.h +++ b/sql/mysql_priv.h @@ -1259,6 +1259,7 @@ extern my_bool opt_slave_compressed_protocol, use_temp_pool; extern my_bool opt_readonly, lower_case_file_system; extern my_bool opt_enable_named_pipe, opt_sync_frm, opt_allow_suspicious_udfs; extern my_bool opt_secure_auth; +extern char* opt_secure_file_priv; extern my_bool opt_log_slow_admin_statements; extern my_bool sp_automatic_privileges, opt_noacl; extern my_bool opt_old_style_user_limits, trust_function_creators; diff --git a/sql/mysqld.cc b/sql/mysqld.cc index e57e46bc30e..87760c3ded5 100644 --- a/sql/mysqld.cc +++ b/sql/mysqld.cc @@ -369,6 +369,7 @@ ulong opt_ndb_nodeid; my_bool opt_readonly, use_temp_pool, relay_log_purge; my_bool opt_sync_frm, opt_allow_suspicious_udfs; my_bool opt_secure_auth= 0; +char* opt_secure_file_priv= 0; my_bool opt_log_slow_admin_statements= 0; my_bool lower_case_file_system= 0; my_bool opt_large_pages= 0; @@ -1145,6 +1146,7 @@ void clean_up(bool print_message) #endif x_free(opt_bin_logname); x_free(opt_relay_logname); + x_free(opt_secure_file_priv); bitmap_free(&temp_pool); free_max_user_conn(); #ifdef HAVE_REPLICATION @@ -4698,7 +4700,8 @@ enum options_mysqld OPT_TABLE_LOCK_WAIT_TIMEOUT, OPT_PORT_OPEN_TIMEOUT, OPT_MERGE, - OPT_INNODB_ROLLBACK_ON_TIMEOUT + OPT_INNODB_ROLLBACK_ON_TIMEOUT, + OPT_SECURE_FILE_PRIV }; @@ -5337,6 +5340,10 @@ Can't be set to 1 if --log-slave-updates is used.", {"secure-auth", OPT_SECURE_AUTH, "Disallow authentication for accounts that have old (pre-4.1) passwords.", (gptr*) &opt_secure_auth, (gptr*) &opt_secure_auth, 0, GET_BOOL, NO_ARG, my_bool(0), 0, 0, 0, 0, 0}, + {"secure-file-priv", OPT_SECURE_FILE_PRIV, + "Limit LOAD DATA, SELECT ... OUTFILE, and LOAD_FILE() to files within specified directory", + (gptr*) &opt_secure_file_priv, (gptr*) &opt_secure_file_priv, 0, + GET_STR_ALLOC, REQUIRED_ARG, 0, 0, 0, 0, 0, 0}, {"server-id", OPT_SERVER_ID, "Uniquely identifies the server instance in the community of replication partners.", (gptr*) &server_id, (gptr*) &server_id, 0, GET_ULONG, REQUIRED_ARG, 0, 0, 0, @@ -6366,6 +6373,7 @@ static void mysql_init_variables(void) opt_logname= opt_update_logname= opt_binlog_index_name= opt_slow_logname= 0; opt_tc_log_file= (char *)"tc.log"; // no hostname in tc_log file name ! opt_secure_auth= 0; + opt_secure_file_priv= 0; opt_bootstrap= opt_myisam_log= 0; mqh_used= 0; segfaulted= kill_in_progress= 0; @@ -7404,6 +7412,16 @@ static void fix_paths(void) exit(1); } #endif /* HAVE_REPLICATION */ + /* + Convert the secure-file-priv option to system format, allowing + a quick strcmp to check if read or write is in an allowed dir + */ + if (opt_secure_file_priv) + { + convert_dirname(buff, opt_secure_file_priv, NullS); + my_free(opt_secure_file_priv, MYF(0)); + opt_secure_file_priv= my_strdup(buff, MYF(MY_FAE)); + } } diff --git a/sql/set_var.cc b/sql/set_var.cc index 9b02a192fe5..8562d052411 100644 --- a/sql/set_var.cc +++ b/sql/set_var.cc @@ -358,6 +358,8 @@ sys_query_cache_wlock_invalidate("query_cache_wlock_invalidate", &SV::query_cache_wlock_invalidate); #endif /* HAVE_QUERY_CACHE */ sys_var_bool_ptr sys_secure_auth("secure_auth", &opt_secure_auth); +sys_var_const_str_ptr sys_secure_file_priv("secure_file_priv", + &opt_secure_file_priv); sys_var_long_ptr sys_server_id("server_id", &server_id, fix_server_id); sys_var_bool_ptr sys_slave_compressed_protocol("slave_compressed_protocol", &opt_slave_compressed_protocol); @@ -719,6 +721,7 @@ sys_var *sys_variables[]= &sys_rpl_recovery_rank, &sys_safe_updates, &sys_secure_auth, + &sys_secure_file_priv, &sys_select_limit, &sys_server_id, #ifdef HAVE_REPLICATION @@ -1027,6 +1030,7 @@ struct show_var_st init_vars[]= { #endif {sys_rpl_recovery_rank.name,(char*) &sys_rpl_recovery_rank, SHOW_SYS}, {"secure_auth", (char*) &sys_secure_auth, SHOW_SYS}, + {"secure_file_priv", (char*) &sys_secure_file_priv, SHOW_SYS}, #ifdef HAVE_SMEM {"shared_memory", (char*) &opt_enable_shared_memory, SHOW_MY_BOOL}, {"shared_memory_base_name", (char*) &shared_memory_base_name, SHOW_CHAR_PTR}, diff --git a/sql/share/errmsg.txt b/sql/share/errmsg.txt index e09629a1f3e..adafdf2818b 100644 --- a/sql/share/errmsg.txt +++ b/sql/share/errmsg.txt @@ -5045,7 +5045,7 @@ ER_OPTION_PREVENTS_STATEMENT ger "Der MySQL-Server läuft mit der Option %s und kann diese Anweisung deswegen nicht ausführen" por "O servidor MySQL está rodando com a opção %s razão pela qual não pode executar esse commando" spa "El servidor MySQL está rodando con la opción %s tal que no puede ejecutar este comando" - swe "MySQL är startad med --skip-grant-tables. Pga av detta kan du inte använda detta kommando" + swe "MySQL är startad med %s. Pga av detta kan du inte använda detta kommando" ER_DUPLICATED_VALUE_IN_TYPE eng "Column '%-.100s' has duplicated value '%-.64s' in %s" ger "Feld '%-.100s' hat doppelten Wert '%-.64s' in %s" diff --git a/sql/sql_class.cc b/sql/sql_class.cc index 0794d4c797a..8fc0fb0a1b7 100644 --- a/sql/sql_class.cc +++ b/sql/sql_class.cc @@ -1084,7 +1084,7 @@ static File create_file(THD *thd, char *path, sql_exchange *exchange, IO_CACHE *cache) { File file; - uint option= MY_UNPACK_FILENAME; + uint option= MY_UNPACK_FILENAME | MY_RELATIVE_PATH; #ifdef DONT_ALLOW_FULL_LOAD_DATA_PATHS option|= MY_REPLACE_DIR; // Force use of db directory @@ -1097,7 +1097,15 @@ static File create_file(THD *thd, char *path, sql_exchange *exchange, } else (void) fn_format(path, exchange->file_name, mysql_real_data_home, "", option); - + + if (opt_secure_file_priv && + strncmp(opt_secure_file_priv, path, strlen(opt_secure_file_priv))) + { + /* Write only allowed to dir or subdir specified by secure_file_priv */ + my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), "--secure-file-priv"); + return -1; + } + if (!access(path, F_OK)) { my_error(ER_FILE_EXISTS_ERROR, MYF(0), exchange->file_name); diff --git a/sql/sql_class.h b/sql/sql_class.h index 05034ebd573..1fe5ef54043 100644 --- a/sql/sql_class.h +++ b/sql/sql_class.h @@ -1674,7 +1674,7 @@ public: #define SYSTEM_THREAD_SLAVE_SQL 4 /* - Used to hold information about file and file structure in exchainge + Used to hold information about file and file structure in exchange via non-DB file (...INTO OUTFILE..., ...LOAD DATA...) XXX: We never call destructor for objects of this class. */ diff --git a/sql/sql_load.cc b/sql/sql_load.cc index 0e4057d9ae4..ede70adc378 100644 --- a/sql/sql_load.cc +++ b/sql/sql_load.cc @@ -302,6 +302,15 @@ bool mysql_load(THD *thd,sql_exchange *ex,TABLE_LIST *table_list, if ((stat_info.st_mode & S_IFIFO) == S_IFIFO) is_fifo = 1; #endif + + if (opt_secure_file_priv && + strncmp(opt_secure_file_priv, name, strlen(opt_secure_file_priv))) + { + /* Read only allowed from within dir specified by secure_file_priv */ + my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), "--secure-file-priv"); + DBUG_RETURN(TRUE); + } + } if ((file=my_open(name,O_RDONLY,MYF(MY_WME))) < 0) DBUG_RETURN(TRUE); |