X-RDate: Wed, 01 Apr 1998 09:18:19 +0600 (ESD)
Date: Tue, 31 Mar 1998 20:05:19 +0100
From: Ben Laurie <[email protected]>
To: [email protected]Subject: Re: mysql: MySQL Security
Michael Widenius wrote:
>
> >>>>> "Sandu" == Sandu Mihai <[email protected]> writes:
>
> Sandu> When you use a certain mysql configuration it is possible to create
> Sandu> files on the system as root with rw-rw-rw.
<snip>
> The file is always created with 0666, by the following code:
>
> sql_class.cc:167: if ((file=my_create(path, 0666, O_WRONLY, MYF(MY_WME))) < 0)
>
> Normally one should never run mysqld as root and one should always
> set a password for the MySQL root user.
Of course:
a) mysqld runs as root by default
b) if you've set the port <1024, so it gets filtered naturally by your
firewall, you have to run as root. The following patch fixes this
problem (on FreeBSD at least), if you add "MYSQL_USER=someuser; export
MYSQL_USER" to safe_mysqld.
Only lightly tested...
--- mysqld.cc.orig Tue Mar 31 19:27:53 1998
+++ mysqld.cc Tue Mar 31 19:35:59 1998
@@ -57,6 +57,8 @@
#define SET_RLIMIT_NOFILE
#endif
+#include <pwd.h>
+
#define MAX_RETRY 10 // Test accept this many times
#define CONNECT_TIMEOUT 3 // Don't wait long for connect
@@ -291,6 +293,33 @@
}
}
+static void set_user()
+{
+ struct passwd *ent;
+ char *user;
+
+// don't bother if we aren't superuser
+ if(geteuid())
+ return;
+
+ if(!(user = getenv("MYSQL_USER")))
+ return;
+
+ if(!(ent = getpwnam(user)))
+ {
+ perror("getpwnam");
+ application_end();
+ unireg_abort(1);
+ }
+
+ if(setuid(ent->pw_uid) == -1)
+ {
+ perror("setuid");
+ application_end();
+ unireg_abort(1);
+ }
+}
+
static void server_init(void)
{
@@ -336,6 +365,9 @@
application_end();
unireg_abort(1);
}
+
+ set_user();
+
VOID(listen(ip_sock,(int) back_log));
}
Cheers,
Ben.
--
Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: [email protected] |
A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/
London, England. |"Apache: TDG" http://www.ora.com/catalog/apache