Re: [packagers] Re: MySQL user can be changed to root (fwd) - Dmitry V. Levin - com.mysql.lists.packagers

14 messages in com.mysql.lists.packagersRe: [packagers] Re: MySQL user can be...

From	Sent On	Attachments
Lenz Grimmer	10 Mar 2003 11:27
Warly	12 Mar 2003 07:03	.patch
Lenz Grimmer	13 Mar 2003 02:25
Warly	13 Mar 2003 02:47
Lenz Grimmer	13 Mar 2003 03:01	.patch
Dmitry V. Levin	13 Mar 2003 03:47
Lenz Grimmer	13 Mar 2003 05:45
Dmitry V. Levin	13 Mar 2003 06:23
Sergei Golubchik	13 Mar 2003 08:39
Dmitry V. Levin	13 Mar 2003 08:58
Sergei Golubchik	13 Mar 2003 09:25
Dmitry V. Levin	13 Mar 2003 10:50
Sergei Golubchik	13 Mar 2003 11:34
Dmitry V. Levin	13 Mar 2003 14:55

Subject:	Re: [packagers] Re: MySQL user can be changed to root (fwd)
From:	Dmitry V. Levin (ld...@altlinux.org)
Date:	03/13/2003 10:50:57 AM
List:	com.mysql.lists.packagers

On Thu, Mar 13, 2003 at 06:25:59PM +0100, Sergei Golubchik wrote:

So I am not sure, if we would gain anything here by using fstat()

You'll get a bit more secure code. :)

I cannot see how fstat() can make the code even slightly secure. What is the scenario where changing stat() to fstat() can help ?

It's quite common case: When you call stat before open, there is a race; attacker with rights of mysql user may subvert the file right after the check, and make root to follow his evil instructions.

Nope - it's just general words, they do not apply to this case. It attacker has rights of mysql nothing prevents him from altering file content and setting proper permissions before any check.

Unless corresponding files and directories are owned by root.

If attacker owns the directory, he can just subvert the file. If attacker owns the file, he can subvert its content.

Using fstat together with st_uid check closes these issues, too.

After all, let's try to avoid potentially raceable constructions.