Ubuntu
mysql-dfsg-5.1 package

mysql user has home directory writable by mysqld

Bug #293258 reported by Domas Mituzas
262
Affects Status Importance Assigned to Milestone
mysql-dfsg-5.1 (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: mysql-server-5.0

It is quite serious no-no of having valid writeable home directory for MySQL - anyone with FILE privilege can create files in ~mysql, thus allowing to do .rhost-like (.profile, .forward, .plan ;-) attacks on a system.

Fortunately, MySQL does not allow creating databases (directories) with a dot, so immediate access to ssh directory is not possible, though clever attacker can find ways.. (and even without any shell one can do port forwarding).

There is no need whatsoever for MySQL user to have a 'home directory' - the 'data directory' should be separate from any unix user context.

Kees Cook (kees)
Changed in mysql-dfsg-5.0:
status: New → Confirmed
Revision history for this message
Domas Mituzas (domas-mituzas) wrote :

resetting back to new, maybe I failed something

Changed in mysql-dfsg-5.0:
status: Confirmed → New
Revision history for this message
Chuck Short (zulcss) wrote :

Which version are you using?

Regards
chuck

Changed in mysql-dfsg-5.0 (Ubuntu):
status: New → Incomplete
Revision history for this message
Domas Mituzas (domas-mituzas) wrote :

intrepid, seems to be same in lenny, hardy, etc.

Revision history for this message
Andreas Olsson (andol) wrote :

I can confirm that the writable data directory (/var/lib/mysql) is also the default mysql system home directory in at least Hardy (mysql-server 5.0.51a-3ubuntu5.4), Intrepid (mysql-server 5.0.67-0ubuntu6) and Jaunty (mysql-server 5.1.30really5.0.75-0ubuntu8).

Kees Cook (kees)
Changed in mysql-dfsg-5.0 (Ubuntu):
status: Incomplete → Confirmed
Mathias Gug (mathiaz)
Changed in mysql-dfsg-5.0:
importance: Undecided → Medium
Chuck Short (zulcss)
affects: mysql-dfsg-5.0 (Ubuntu) → mysql-dfsg-5.1 (Ubuntu)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-dfsg-5.1 - 5.1.43-1ubuntu2

---------------
mysql-dfsg-5.1 (5.1.43-1ubuntu2) maverick; urgency=low

  [Marc Deslauriers]
  * debian/mysql-server-5.0.preinst: Set mysql user's home directory
    to /nonexistent to protect against having the /var/lib/mysql
    user-writeable. If an attacker can trick mysqld into creating
    dot files in the home directory, he could do .rhost-like attacks
    on the system. (LP: #293258)

  [Chuck Short]
  * debian/mysql-server-5.1.mysql.upstart: Dont wait forever for a ping from
    the mysql server. It might not be configured properly. (LP: #551097)
 -- Chuck Short <email address hidden> Thu, 20 May 2010 15:35:48 -0400

Changed in mysql-dfsg-5.1 (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.