6 messages in com.mysql.lists.bugsRe: INTO OUTFILE 'filename' creates w...| From | Sent On | Attachments |
|---|---|---|
| John Warburton | 19 Mar 2001 19:54 | |
| Michael Widenius | 20 Mar 2001 08:45 | |
| John Warburton | 21 Mar 2001 21:32 | |
| Michael Widenius | 23 Mar 2001 08:16 | |
| John Warburton | 26 Mar 2001 21:12 | |
| Michael Widenius | 27 Mar 2001 00:38 |
| Subject: | Re: INTO OUTFILE 'filename' creates world writeable files |
|---|---|
| From: | John Warburton (John...@uniq.com.au) |
| Date: | 03/21/2001 09:32:21 PM |
| List: | com.mysql.lists.bugs |
Hi Monty
Description:
John> I have just installed mysql 3.23.33 on my system and was John> testing the mysqldump command as per the manual. I have not John> created any new databases. When I run mysqldump with the --tab John> option, the *.txt files created are world read/writable. John> I have traced this back to line 935 of mysqldump.c where the John> SQL string with the INTO OUTFILE is created. John> I then rand a simp, SQL with INTO OUTFILE and another world John> writeable file is created. John> Security problem.
<cut>
The above is right. As the MySQL server can't create a file that is owned by anyone else than the user it's running as (you should never run mysqld at root), it has to make the file word readable for all so that the user that did mysqldump can read it.
Um, that is not my point. The examples I gave to reproduce the problem and the subject of this bug report is that "SELECT INTO OUTFILE" is creating *world writeable* (not just readable) files. I only found this problem trying to use mysqldump.
If this is not acceptable for you, you can't use the --tab option. You can always use:
mysql -e 'select * from table_name' database > table_name.txt
I am doing this, but the issue still stands that world writeable files are being created, which in this day and age is unacceptable.
The posting to Bugtraq (http://lists.mysql.com/cgi-ez/ezmlm-cgi?1:mss:36353) that noted how www.apache.org was defaced mentions that "SELECT INTO OUTFILE" can create mode 666 files. The hacker community knows about this & it may be useful to them.
Is this just my problem, or do other people see this?
Regards
John