- Joined
- Feb 27, 2003
- Messages
- 8,469
Just as a followup, I did more testing just to be sure.
If you run the command *as root* ... this will cache the value into mysql somewhere (don't ask me where, I cant say). Once the query is cached, then the same command call made by a non-root account (apache, end user, etc) .. will work. (only for the exact same username/pass, exact same query, on the same db and table). Basically, don't run this command as root at all. Secondly, even with the local-infile=0 set, if you had run the command as root prior to setting it to 0, then same thing shows up, the file is visible (again with the cache).
So this is still a fairly minor thing.. it's impossible for apache or your users to read the mysql.conf in the first place.
The catch is, when you run the command as root, the result then gets cached as that mysql user you've run it as... so when the same thing happens again, it looks like he has root access (he sees what root saw) but he does not actually have root access and cannot initiate the function himself in the first place.
So... again, this is not a monstrous security issue. The fact that the command is cached can be hazardous if you're running that script as root using your users mysql login/pass.. (and then your user runs the exact same thing later on) So it's more like a self fulfilling prophecy.. the problem originates when you look for the problem
Don't run it
It's also important to note that adding the local-infile=0 from the very start will prevent the issue as it blocks the very intial attempt that roots makes, meaning none of the confusion can happen in the first place.
I will be adding a default my.cnf file with the basic:
into the setup.sh for new installs only, just as a percaution.
You're welcome to do the same if you want to prevent yourself from running it in the first place. Or basic self control and not running it would work too
John
If you run the command *as root* ... this will cache the value into mysql somewhere (don't ask me where, I cant say). Once the query is cached, then the same command call made by a non-root account (apache, end user, etc) .. will work. (only for the exact same username/pass, exact same query, on the same db and table). Basically, don't run this command as root at all. Secondly, even with the local-infile=0 set, if you had run the command as root prior to setting it to 0, then same thing shows up, the file is visible (again with the cache).
So this is still a fairly minor thing.. it's impossible for apache or your users to read the mysql.conf in the first place.
The catch is, when you run the command as root, the result then gets cached as that mysql user you've run it as... so when the same thing happens again, it looks like he has root access (he sees what root saw) but he does not actually have root access and cannot initiate the function himself in the first place.
So... again, this is not a monstrous security issue. The fact that the command is cached can be hazardous if you're running that script as root using your users mysql login/pass.. (and then your user runs the exact same thing later on) So it's more like a self fulfilling prophecy.. the problem originates when you look for the problem
Don't run it
It's also important to note that adding the local-infile=0 from the very start will prevent the issue as it blocks the very intial attempt that roots makes, meaning none of the confusion can happen in the first place.
I will be adding a default my.cnf file with the basic:
Code:
[mysqld]
local-infile=0You're welcome to do the same if you want to prevent yourself from running it in the first place. Or basic self control and not running it would work too
John