From d06e2f922354bb1f98f5fe434ea5445c99af215d Mon Sep 17 00:00:00 2001 From: "svoj@mysql.com/june.mysql.com" <> Date: Tue, 6 Nov 2007 18:09:33 +0400 Subject: [PATCH 1/3] BUG#32111 - Security Breach via DATA/INDEX DIRECORY and RENAME TABLE RENAME TABLE against a table with DATA/INDEX DIRECTORY overwrites the file to which the symlink points. This is security issue, because it is possible to create a table with some name in some non-system database and set DATA/INDEX DIRECTORY to mysql system database. Renaming this table to one of mysql system tables (e.g. user, host) would overwrite the system table. Return an error when the file to which the symlink points exist. --- mysql-test/r/symlink.result | 6 ++++++ mysql-test/t/symlink.test | 12 ++++++++++++ mysys/my_symlink2.c | 11 ++++++++++- 3 files changed, 28 insertions(+), 1 deletion(-) diff --git a/mysql-test/r/symlink.result b/mysql-test/r/symlink.result index d07a8613883..e2b26cb508c 100644 --- a/mysql-test/r/symlink.result +++ b/mysql-test/r/symlink.result @@ -84,3 +84,9 @@ t1 CREATE TABLE `t1` ( `b` int(11) default NULL ) TYPE=MyISAM drop table t1; +CREATE TABLE t1(a INT) +DATA DIRECTORY='TEST_DIR/var/master-data/mysql' +INDEX DIRECTORY='TEST_DIR/var/master-data/mysql'; +RENAME TABLE t1 TO user; +Can't create/write to file 'TEST_DIR/var/master-data/mysql/user.MYI' (Errcode: 17) +DROP TABLE t1; diff --git a/mysql-test/t/symlink.test b/mysql-test/t/symlink.test index 7a42a60054e..9750e6fdfdd 100644 --- a/mysql-test/t/symlink.test +++ b/mysql-test/t/symlink.test @@ -112,3 +112,15 @@ eval alter table t1 index directory="$MYSQL_TEST_DIR/var/log"; enable_query_log; show create table t1; drop table t1; + +# +# BUG#32111 - Security Breach via DATA/INDEX DIRECORY and RENAME TABLE +# +--replace_result $MYSQL_TEST_DIR TEST_DIR +eval CREATE TABLE t1(a INT) +DATA DIRECTORY='$MYSQL_TEST_DIR/var/master-data/mysql' +INDEX DIRECTORY='$MYSQL_TEST_DIR/var/master-data/mysql'; +--replace_result $MYSQL_TEST_DIR TEST_DIR +--error 1 +RENAME TABLE t1 TO user; +DROP TABLE t1; diff --git a/mysys/my_symlink2.c b/mysys/my_symlink2.c index 913f632fbb4..4d58699412a 100644 --- a/mysys/my_symlink2.c +++ b/mysys/my_symlink2.c @@ -120,6 +120,7 @@ int my_rename_with_symlink(const char *from, const char *to, myf MyFlags) int was_symlink= (!my_disable_symlinks && !my_readlink(link_name, from, MYF(0))); int result=0; + int name_is_different; DBUG_ENTER("my_rename_with_symlink"); if (!was_symlink) @@ -128,6 +129,14 @@ int my_rename_with_symlink(const char *from, const char *to, myf MyFlags) /* Change filename that symlink pointed to */ strmov(tmp_name, to); fn_same(tmp_name,link_name,1); /* Copy dir */ + name_is_different= strcmp(link_name, tmp_name); + if (name_is_different && !access(tmp_name, F_OK)) + { + my_errno= EEXIST; + if (MyFlags & MY_WME) + my_error(EE_CANTCREATEFILE, MYF(0), tmp_name, EEXIST); + DBUG_RETURN(1); + } /* Create new symlink */ if (my_symlink(tmp_name, to, MyFlags)) @@ -139,7 +148,7 @@ int my_rename_with_symlink(const char *from, const char *to, myf MyFlags) the same basename and different directories. */ - if (strcmp(link_name, tmp_name) && my_rename(link_name, tmp_name, MyFlags)) + if (name_is_different && my_rename(link_name, tmp_name, MyFlags)) { int save_errno=my_errno; my_delete(to, MyFlags); /* Remove created symlink */ From 40a78cd3900d72e76edf0e7d9b83b26f1a55811c Mon Sep 17 00:00:00 2001 From: "svoj@mysql.com/june.mysql.com" <> Date: Mon, 12 Nov 2007 15:15:16 +0400 Subject: [PATCH 2/3] After merge fix. --- mysql-test/r/symlink.result | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mysql-test/r/symlink.result b/mysql-test/r/symlink.result index cc54233107a..81798b2dc20 100644 --- a/mysql-test/r/symlink.result +++ b/mysql-test/r/symlink.result @@ -94,7 +94,7 @@ CREATE TABLE t1(a INT) DATA DIRECTORY='TEST_DIR/var/master-data/mysql' INDEX DIRECTORY='TEST_DIR/var/master-data/mysql'; RENAME TABLE t1 TO user; -Can't create/write to file 'TEST_DIR/var/master-data/mysql/user.MYI' (Errcode: 17) +ERROR HY000: Can't create/write to file 'TEST_DIR/var/master-data/mysql/user.MYI' (Errcode: 17) DROP TABLE t1; show create table t1; Table Create Table From ed8f506d29dfdd6547db798dbc468e2ab205d045 Mon Sep 17 00:00:00 2001 From: "svoj@mysql.com/june.mysql.com" <> Date: Mon, 12 Nov 2007 21:52:30 +0400 Subject: [PATCH 3/3] symlink.test, symlink.result: Use proper variable for test. --- mysql-test/r/symlink.result | 6 +++--- mysql-test/t/symlink.test | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/mysql-test/r/symlink.result b/mysql-test/r/symlink.result index 81798b2dc20..32dc72b8219 100644 --- a/mysql-test/r/symlink.result +++ b/mysql-test/r/symlink.result @@ -91,10 +91,10 @@ t1 CREATE TABLE `t1` ( ) ENGINE=MyISAM DEFAULT CHARSET=latin1 drop table t1; CREATE TABLE t1(a INT) -DATA DIRECTORY='TEST_DIR/var/master-data/mysql' -INDEX DIRECTORY='TEST_DIR/var/master-data/mysql'; +DATA DIRECTORY='TEST_DIR/master-data/mysql' +INDEX DIRECTORY='TEST_DIR/master-data/mysql'; RENAME TABLE t1 TO user; -ERROR HY000: Can't create/write to file 'TEST_DIR/var/master-data/mysql/user.MYI' (Errcode: 17) +ERROR HY000: Can't create/write to file 'TEST_DIR/master-data/mysql/user.MYI' (Errcode: 17) DROP TABLE t1; show create table t1; Table Create Table diff --git a/mysql-test/t/symlink.test b/mysql-test/t/symlink.test index fb35bd3c130..40127a697ac 100644 --- a/mysql-test/t/symlink.test +++ b/mysql-test/t/symlink.test @@ -121,11 +121,11 @@ drop table t1; # # BUG#32111 - Security Breach via DATA/INDEX DIRECORY and RENAME TABLE # ---replace_result $MYSQL_TEST_DIR TEST_DIR +--replace_result $MYSQLTEST_VARDIR TEST_DIR eval CREATE TABLE t1(a INT) -DATA DIRECTORY='$MYSQL_TEST_DIR/var/master-data/mysql' -INDEX DIRECTORY='$MYSQL_TEST_DIR/var/master-data/mysql'; ---replace_result $MYSQL_TEST_DIR TEST_DIR +DATA DIRECTORY='$MYSQLTEST_VARDIR/master-data/mysql' +INDEX DIRECTORY='$MYSQLTEST_VARDIR/master-data/mysql'; +--replace_result $MYSQLTEST_VARDIR TEST_DIR --error 1 RENAME TABLE t1 TO user; DROP TABLE t1;