Re: MySQL Security

Aleph One (aleph1@DFW.NET)
Sun, 29 Mar 1998 03:31:17 -0600

On Sun, 29 Mar 1998, Sandu Mihai wrote:

> When you use a certain mysql configuration it is possible to create
> files on the system as root with rw-rw-rw.
> Many MySQL users have included user root from localhost without password
> in their config.
> So. If on such a system you issue :
> mysql -u root test
> you not only will have access to the database but you'll be able to
> create a file on the system with the root
> ownership and rw-rw-rw useing the SELECT .. INTO OUTFILE statement.

This is a configuration problem. It can be easily solved by adding a
password and/or changing the file_priv column to 'N' for this user in the
user table in the mysql database. Nonetheless is advisable for people
running mySQL to check their configuration for any users with file_priv
that should not have it.

Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01