Commit 7cb79a65 authored by Arun Kuruvila's avatar Arun Kuruvila Committed by Nawaz Nazeer Ahamed

Bug#24707666: DEFAULT SETTING FOR SECURE-FILE-PRIV SHOULD BE

              RESTRICTED IN ALL GA RELEASES

Back port of WL#6782 to 5.5 and 5.6. This also includes
back port of Bug#20771331, Bug#20741572 and Bug#20770671.
Bug#24695274 and Bug#24679907 are also handled along with
this.
parent 7679f5f6
# Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved.
# Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
......@@ -22,7 +22,7 @@
# and relative links. Windows zip uses the same tarball layout but without
# the build prefix.
#
# RPM
# RPM, SLES
# Build as per default RPM layout, with prefix=/usr
# Note: The layout for ULN RPMs differs, see the "RPM" section.
#
......@@ -32,10 +32,22 @@
# SVR4
# Solaris package layout suitable for pkg* tools, prefix=/opt/mysql/mysql
#
# FREEBSD, GLIBC, OSX, TARGZ
# Build with prefix=/usr/local/mysql, create tarball with install prefix="."
# and relative links.
#
# WIN
# Windows zip : same as tarball layout but without the build prefix
#
# To force a directory layout, use -DINSTALL_LAYOUT=<layout>.
#
# The default is STANDALONE.
#
# Note : At present, RPM and SLES layouts are similar. This is also true
# for layouts like FREEBSD, GLIBC, OSX, TARGZ. However, they provide
# opportunity to fine-tune deployment for each platform without
# affecting all other types of deployment.
#
# There is the possibility to further fine-tune installation directories.
# Several variables can be overwritten:
#
......@@ -60,6 +72,7 @@
# - INSTALL_SUPPORTFILESDIR (various extra support files)
#
# - INSTALL_MYSQLDATADIR (data directory)
# - INSTALL_SECURE_FILE_PRIVDIR (--secure-file-priv directory)
#
# When changing this page, _please_ do not forget to update public Wiki
# http://forge.mysql.com/wiki/CMake#Fine-tuning_installation_paths
......@@ -69,10 +82,11 @@ IF(NOT INSTALL_LAYOUT)
ENDIF()
SET(INSTALL_LAYOUT "${DEFAULT_INSTALL_LAYOUT}"
CACHE STRING "Installation directory layout. Options are: STANDALONE (as in zip or tar.gz installer), RPM, DEB, SVR4")
CACHE STRING "Installation directory layout. Options are: TARGZ (as in tar.gz installer), WIN (as in zip installer), STANDALONE, RPM, DEB, SVR4, FREEBSD, GLIBC, OSX, SLES")
IF(UNIX)
IF(INSTALL_LAYOUT MATCHES "RPM")
IF(INSTALL_LAYOUT MATCHES "RPM" OR
INSTALL_LAYOUT MATCHES "SLES")
SET(default_prefix "/usr")
ELSEIF(INSTALL_LAYOUT MATCHES "DEB")
SET(default_prefix "/opt/mysql/server-${MYSQL_BASE_VERSION}")
......@@ -87,7 +101,7 @@ IF(UNIX)
SET(CMAKE_INSTALL_PREFIX ${default_prefix}
CACHE PATH "install prefix" FORCE)
ENDIF()
SET(VALID_INSTALL_LAYOUTS "RPM" "STANDALONE" "DEB" "SVR4")
SET(VALID_INSTALL_LAYOUTS "RPM" "DEB" "SVR4" "FREEBSD" "GLIBC" "OSX" "TARGZ" "SLES" "STANDALONE")
LIST(FIND VALID_INSTALL_LAYOUTS "${INSTALL_LAYOUT}" ind)
IF(ind EQUAL -1)
MESSAGE(FATAL_ERROR "Invalid INSTALL_LAYOUT parameter:${INSTALL_LAYOUT}."
......@@ -99,6 +113,15 @@ IF(UNIX)
MARK_AS_ADVANCED(SYSCONFDIR)
ENDIF()
IF(WIN32)
SET(VALID_INSTALL_LAYOUTS "TARGZ" "STANDALONE" "WIN")
LIST(FIND VALID_INSTALL_LAYOUTS "${INSTALL_LAYOUT}" ind)
IF(ind EQUAL -1)
MESSAGE(FATAL_ERROR "Invalid INSTALL_LAYOUT parameter:${INSTALL_LAYOUT}."
" Choose between ${VALID_INSTALL_LAYOUTS}" )
ENDIF()
ENDIF()
#
# plugin_tests's value should not be used by imported plugins,
# just use if(INSTALL_PLUGINTESTDIR).
......@@ -109,6 +132,22 @@ FILE(GLOB plugin_tests
${CMAKE_SOURCE_DIR}/internal/plugin/*/tests
)
#
# DEFAULT_SECURE_FILE_PRIV_DIR/DEFAULT_SECURE_FILE_PRIV_EMBEDDED_DIR
#
IF(INSTALL_LAYOUT MATCHES "STANDALONE" OR
INSTALL_LAYOUT MATCHES "WIN")
SET(secure_file_priv_path "NULL")
ELSEIF(INSTALL_LAYOUT MATCHES "RPM" OR
INSTALL_LAYOUT MATCHES "SLES" OR
INSTALL_LAYOUT MATCHES "SVR4" OR
INSTALL_LAYOUT MATCHES "DEB")
SET(secure_file_priv_path "/var/lib/mysql-files")
ELSE()
SET(secure_file_priv_path "${default_prefix}/mysql-files")
ENDIF()
SET(secure_file_priv_embedded_path "NULL")
#
# STANDALONE layout
#
......@@ -134,6 +173,148 @@ SET(INSTALL_SUPPORTFILESDIR_STANDALONE "support-files")
#
SET(INSTALL_MYSQLDATADIR_STANDALONE "data")
SET(INSTALL_PLUGINTESTDIR_STANDALONE ${plugin_tests})
SET(INSTALL_SECURE_FILE_PRIVDIR_STANDALONE ${secure_file_priv_path})
SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_STANDALONE ${secure_file_priv_embedded_path})
#
# WIN layout
#
SET(INSTALL_BINDIR_WIN "bin")
SET(INSTALL_SBINDIR_WIN "bin")
SET(INSTALL_SCRIPTDIR_WIN "scripts")
#
SET(INSTALL_LIBDIR_WIN "lib")
SET(INSTALL_PLUGINDIR_WIN "lib/plugin")
#
SET(INSTALL_INCLUDEDIR_WIN "include")
#
SET(INSTALL_DOCDIR_WIN "docs")
SET(INSTALL_DOCREADMEDIR_WIN ".")
SET(INSTALL_MANDIR_WIN "man")
SET(INSTALL_INFODIR_WIN "docs")
#
SET(INSTALL_SHAREDIR_WIN "share")
SET(INSTALL_MYSQLSHAREDIR_WIN "share")
SET(INSTALL_MYSQLTESTDIR_WIN "mysql-test")
SET(INSTALL_SQLBENCHDIR_WIN ".")
SET(INSTALL_SUPPORTFILESDIR_WIN "support-files")
#
SET(INSTALL_MYSQLDATADIR_WIN "data")
SET(INSTALL_PLUGINTESTDIR_WIN ${plugin_tests})
SET(INSTALL_SECURE_FILE_PRIVDIR_WIN ${secure_file_priv_path})
SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_WIN ${secure_file_priv_embedded_path})
#
# FREEBSD layout
#
SET(INSTALL_BINDIR_FREEBSD "bin")
SET(INSTALL_SBINDIR_FREEBSD "bin")
SET(INSTALL_SCRIPTDIR_FREEBSD "scripts")
#
SET(INSTALL_LIBDIR_FREEBSD "lib")
SET(INSTALL_PLUGINDIR_FREEBSD "lib/plugin")
#
SET(INSTALL_INCLUDEDIR_FREEBSD "include")
#
SET(INSTALL_DOCDIR_FREEBSD "docs")
SET(INSTALL_DOCREADMEDIR_FREEBSD ".")
SET(INSTALL_MANDIR_FREEBSD "man")
SET(INSTALL_INFODIR_FREEBSD "docs")
#
SET(INSTALL_SHAREDIR_FREEBSD "share")
SET(INSTALL_MYSQLSHAREDIR_FREEBSD "share")
SET(INSTALL_MYSQLTESTDIR_FREEBSD "mysql-test")
SET(INSTALL_SQLBENCHDIR_FREEBSD ".")
SET(INSTALL_SUPPORTFILESDIR_FREEBSD "support-files")
#
SET(INSTALL_MYSQLDATADIR_FREEBSD "data")
SET(INSTALL_PLUGINTESTDIR_FREEBSD ${plugin_tests})
SET(INSTALL_SECURE_FILE_PRIVDIR_FREEBSD ${secure_file_priv_path})
SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_FREEBSD ${secure_file_priv_embedded_path})
#
# GLIBC layout
#
SET(INSTALL_BINDIR_GLIBC "bin")
SET(INSTALL_SBINDIR_GLIBC "bin")
SET(INSTALL_SCRIPTDIR_GLIBC "scripts")
#
SET(INSTALL_LIBDIR_GLIBC "lib")
SET(INSTALL_PLUGINDIR_GLIBC "lib/plugin")
#
SET(INSTALL_INCLUDEDIR_GLIBC "include")
#
SET(INSTALL_DOCDIR_GLIBC "docs")
SET(INSTALL_DOCREADMEDIR_GLIBC ".")
SET(INSTALL_MANDIR_GLIBC "man")
SET(INSTALL_INFODIR_GLIBC "docs")
#
SET(INSTALL_SHAREDIR_GLIBC "share")
SET(INSTALL_MYSQLSHAREDIR_GLIBC "share")
SET(INSTALL_MYSQLTESTDIR_GLIBC "mysql-test")
SET(INSTALL_SQLBENCHDIR_GLIBC ".")
SET(INSTALL_SUPPORTFILESDIR_GLIBC "support-files")
#
SET(INSTALL_MYSQLDATADIR_GLIBC "data")
SET(INSTALL_PLUGINTESTDIR_GLIBC ${plugin_tests})
SET(INSTALL_SECURE_FILE_PRIVDIR_GLIBC ${secure_file_priv_path})
SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_GLIBC ${secure_file_priv_embedded_path})
#
# OSX layout
#
SET(INSTALL_BINDIR_OSX "bin")
SET(INSTALL_SBINDIR_OSX "bin")
SET(INSTALL_SCRIPTDIR_OSX "scripts")
#
SET(INSTALL_LIBDIR_OSX "lib")
SET(INSTALL_PLUGINDIR_OSX "lib/plugin")
#
SET(INSTALL_INCLUDEDIR_OSX "include")
#
SET(INSTALL_DOCDIR_OSX "docs")
SET(INSTALL_DOCREADMEDIR_OSX ".")
SET(INSTALL_MANDIR_OSX "man")
SET(INSTALL_INFODIR_OSX "docs")
#
SET(INSTALL_SHAREDIR_OSX "share")
SET(INSTALL_MYSQLSHAREDIR_OSX "share")
SET(INSTALL_MYSQLTESTDIR_OSX "mysql-test")
SET(INSTALL_SQLBENCHDIR_OSX ".")
SET(INSTALL_SUPPORTFILESDIR_OSX "support-files")
#
SET(INSTALL_MYSQLDATADIR_OSX "data")
SET(INSTALL_PLUGINTESTDIR_OSX ${plugin_tests})
SET(INSTALL_SECURE_FILE_PRIVDIR_OSX ${secure_file_priv_path})
SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_OSX ${secure_file_priv_embedded_path})
#
# TARGZ layout
#
SET(INSTALL_BINDIR_TARGZ "bin")
SET(INSTALL_SBINDIR_TARGZ "bin")
SET(INSTALL_SCRIPTDIR_TARGZ "scripts")
#
SET(INSTALL_LIBDIR_TARGZ "lib")
SET(INSTALL_PLUGINDIR_TARGZ "lib/plugin")
#
SET(INSTALL_INCLUDEDIR_TARGZ "include")
#
SET(INSTALL_DOCDIR_TARGZ "docs")
SET(INSTALL_DOCREADMEDIR_TARGZ ".")
SET(INSTALL_MANDIR_TARGZ "man")
SET(INSTALL_INFODIR_TARGZ "docs")
#
SET(INSTALL_SHAREDIR_TARGZ "share")
SET(INSTALL_MYSQLSHAREDIR_TARGZ "share")
SET(INSTALL_MYSQLTESTDIR_TARGZ "mysql-test")
SET(INSTALL_SQLBENCHDIR_TARGZ ".")
SET(INSTALL_SUPPORTFILESDIR_TARGZ "support-files")
#
SET(INSTALL_MYSQLDATADIR_TARGZ "data")
SET(INSTALL_PLUGINTESTDIR_TARGZ ${plugin_tests})
SET(INSTALL_SECURE_FILE_PRIVDIR_TARGZ ${secure_file_priv_path})
SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_TARGZ ${secure_file_priv_embedded_path})
#
# RPM layout
......@@ -169,6 +350,41 @@ SET(INSTALL_SUPPORTFILESDIR_RPM "share/mysql")
#
SET(INSTALL_MYSQLDATADIR_RPM "/var/lib/mysql")
SET(INSTALL_PLUGINTESTDIR_RPM ${plugin_tests})
SET(INSTALL_SECURE_FILE_PRIVDIR_RPM ${secure_file_priv_path})
SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_RPM ${secure_file_priv_embedded_path})
#
# SLES layout
#
SET(INSTALL_BINDIR_SLES "bin")
SET(INSTALL_SBINDIR_SLES "sbin")
SET(INSTALL_SCRIPTDIR_SLES "bin")
#
IF(CMAKE_SYSTEM_PROCESSOR MATCHES "x86_64")
SET(INSTALL_LIBDIR_SLES "lib64")
SET(INSTALL_PLUGINDIR_SLES "lib64/mysql/plugin")
ELSE()
SET(INSTALL_LIBDIR_SLES "lib")
SET(INSTALL_PLUGINDIR_SLES "lib/mysql/plugin")
ENDIF()
#
SET(INSTALL_INCLUDEDIR_SLES "include/mysql")
#
#SET(INSTALL_DOCDIR_SLES unset - installed directly by SLES)
#SET(INSTALL_DOCREADMEDIR_SLES unset - installed directly by SLES)
SET(INSTALL_INFODIR_SLES "share/info")
SET(INSTALL_MANDIR_SLES "share/man")
#
SET(INSTALL_SHAREDIR_SLES "share")
SET(INSTALL_MYSQLSHAREDIR_SLES "share/mysql")
SET(INSTALL_MYSQLTESTDIR_SLES "share/mysql-test")
SET(INSTALL_SQLBENCHDIR_SLES "")
SET(INSTALL_SUPPORTFILESDIR_SLES "share/mysql")
#
SET(INSTALL_MYSQLDATADIR_SLES "/var/lib/mysql")
SET(INSTALL_PLUGINTESTDIR_SLES ${plugin_tests})
SET(INSTALL_SECURE_FILE_PRIVDIR_SLES ${secure_file_priv_path})
SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_SLES ${secure_file_priv_embedded_path})
#
# DEB layout
......@@ -193,8 +409,10 @@ SET(INSTALL_MYSQLTESTDIR_DEB "mysql-test")
SET(INSTALL_SQLBENCHDIR_DEB ".")
SET(INSTALL_SUPPORTFILESDIR_DEB "support-files")
#
SET(INSTALL_MYSQLDATADIR_DEB "data")
SET(INSTALL_MYSQLDATADIR_DEB "/var/lib/mysql")
SET(INSTALL_PLUGINTESTDIR_DEB ${plugin_tests})
SET(INSTALL_SECURE_FILE_PRIVDIR_DEB ${secure_file_priv_path})
SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_DEB ${secure_file_priv_embedded_path})
#
# SVR4 layout
......@@ -221,7 +439,8 @@ SET(INSTALL_SUPPORTFILESDIR_SVR4 "support-files")
#
SET(INSTALL_MYSQLDATADIR_SVR4 "/var/lib/mysql")
SET(INSTALL_PLUGINTESTDIR_SVR4 ${plugin_tests})
SET(INSTALL_SECURE_FILE_PRIVDIR_SVR4 ${secure_file_priv_path})
SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_SVR4 ${secure_file_priv_embedded_path})
# Clear cached variables if install layout was changed
IF(OLD_INSTALL_LAYOUT)
......@@ -235,8 +454,29 @@ SET(OLD_INSTALL_LAYOUT ${INSTALL_LAYOUT} CACHE INTERNAL "")
# will be defined as ${INSTALL_BINDIR_STANDALONE} by default if STANDALONE
# layout is chosen)
FOREACH(var BIN SBIN LIB MYSQLSHARE SHARE PLUGIN INCLUDE SCRIPT DOC MAN
INFO MYSQLTEST SQLBENCH DOCREADME SUPPORTFILES MYSQLDATA PLUGINTEST)
INFO MYSQLTEST SQLBENCH DOCREADME SUPPORTFILES MYSQLDATA PLUGINTEST
SECURE_FILE_PRIV SECURE_FILE_PRIV_EMBEDDED)
SET(INSTALL_${var}DIR ${INSTALL_${var}DIR_${INSTALL_LAYOUT}}
CACHE STRING "${var} installation directory" ${FORCE})
MARK_AS_ADVANCED(INSTALL_${var}DIR)
ENDFOREACH()
#
# Set DEFAULT_SECURE_FILE_PRIV_DIR
# This is used as default value for --secure-file-priv
#
IF(INSTALL_SECURE_FILE_PRIVDIR)
SET(DEFAULT_SECURE_FILE_PRIV_DIR "\"${INSTALL_SECURE_FILE_PRIVDIR}\""
CACHE INTERNAL "default --secure-file-priv directory" FORCE)
ELSE()
SET(DEFAULT_SECURE_FILE_PRIV_DIR \"\"
CACHE INTERNAL "default --secure-file-priv directory" FORCE)
ENDIF()
IF(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR)
SET(DEFAULT_SECURE_FILE_PRIV_EMBEDDED_DIR "\"${INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR}\""
CACHE INTERNAL "default --secure-file-priv directory (for embedded library)" FORCE)
ELSE()
SET(DEFAULT_SECURE_FILE_PRIV_EMBEDDED_DIR "NULL"
CACHE INTERNAL "default --secure-file-priv directory (for embedded library)" FORCE)
ENDIF()
......@@ -624,4 +624,8 @@
#cmakedefine SIZEOF_TIME_T @SIZEOF_TIME_T@
#cmakedefine TIME_T_UNSIGNED @TIME_T_UNSIGNED@
/* For --secure-file-priv */
#cmakedefine DEFAULT_SECURE_FILE_PRIV_DIR @DEFAULT_SECURE_FILE_PRIV_DIR@
#cmakedefine DEFAULT_SECURE_FILE_PRIV_EMBEDDED_DIR @DEFAULT_SECURE_FILE_PRIV_EMBEDDED_DIR@
#endif
-- Copyright (c) 2008, 2011, Oracle and/or its affiliates. All rights reserved.
-- Copyright (c) 2008, 2016, Oracle and/or its affiliates. All rights reserved.
--
-- This program is free software; you can redistribute it and/or modify
-- it under the terms of the GNU General Public License as published by
......@@ -204,6 +204,11 @@ INSERT INTO global_suppressions VALUES
*/
("Found lock of type 6 that is write and read locked"),
/*
Warnings related to --secure-file-priv
*/
("Insecure configuration for --secure-file-priv:*"),
("THE_LAST_SUPPRESSION")||
......
......@@ -18,7 +18,8 @@ perl;
# their paths may vary:
@skipvars=qw/basedir open-files-limit general-log-file log plugin-dir
log-slow-queries pid-file slow-query-log-file
datadir slave-load-tmpdir tmpdir socket/;
datadir slave-load-tmpdir tmpdir socket
secure-file-priv/;
# Plugins which may or may not be there:
@plugins=qw/innodb ndb archive blackhole federated partition ndbcluster debug temp-pool ssl des-key-file
......
#!/usr/bin/perl
# -*- cperl -*-
# Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved.
# Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
......@@ -1823,6 +1823,7 @@ sub collect_mysqld_features {
mtr_init_args(\$args);
mtr_add_arg($args, "--no-defaults");
mtr_add_arg($args, "--datadir=%s", mixed_path($tmpdir));
mtr_add_arg($args, "--secure-file-priv=\"\"");
mtr_add_arg($args, "--lc-messages-dir=%s", $path_language);
mtr_add_arg($args, "--skip-grant-tables");
mtr_add_arg($args, "--verbose");
......@@ -3297,6 +3298,7 @@ sub mysql_install_db {
mtr_add_arg($args, "--loose-skip-falcon");
mtr_add_arg($args, "--loose-skip-ndbcluster");
mtr_add_arg($args, "--tmpdir=%s", "$opt_vardir/tmp/");
mtr_add_arg($args, "--secure-file-priv=%s", "$opt_vardir");
mtr_add_arg($args, "--core-file");
if ( $opt_debug )
......
......@@ -923,7 +923,6 @@ report-user (No default value)
rpl-recovery-rank 0
safe-user-create FALSE
secure-auth FALSE
secure-file-priv (No default value)
server-id 0
show-slave-auth-info FALSE
skip-grant-tables TRUE
......
......@@ -931,7 +931,6 @@ report-user (No default value)
rpl-recovery-rank 0
safe-user-create FALSE
secure-auth FALSE
secure-file-priv (No default value)
server-id 0
shared-memory FALSE
shared-memory-base-name MYSQL
......
#-----------------------------------------------------------------------
# Setup
# Try to restart server with invalid value for --secure-file-priv
# Search for : Failed to access directory for --secure-file-priv.
# Restart completed.
# Restart
#-----------------------------------------------------------------------
#-----------------------------------------------------------------------
# Setup
#-----------------------------------------------------------------------
# Search for : --secure-file-priv is set to NULL. Operations
# related to importing and exporting data are
# disabled
show variables like 'secure_file_priv';
Variable_name Value
secure_file_priv null
use test;
drop table if exists secure_file_priv_test_null;
create table secure_file_priv_test_null(c1 int);
insert into secure_file_priv_test_null values (1), (2), (3), (4);
select * from secure_file_priv_test_null into outfile 'blah';
ERROR HY000: The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
select * from secure_file_priv_test_null into outfile 'null/blah';
ERROR HY000: The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
drop table secure_file_priv_test_null;
#-----------------------------------------------------------------------
# Clean-up
#-----------------------------------------------------------------------
#-----------------------------------------------------------------------
# Setup
#-----------------------------------------------------------------------
# Search for : Insecure configuration for --secure-file-priv: Current
# value does not restrict location of generated files.
# Consider setting it to a valid, non-empty path.
SHOW VARIABLES LIKE 'secure_file_priv';
Variable_name Value
secure_file_priv
#-----------------------------------------------------------------------
# Restart completed.
# Search for : Insecure configuration for --secure-file-priv: Plugin
# directory is accessible through --secure-file-priv.
# Consider choosing a different directory.
#-----------------------------------------------------------------------
# Clean-up
#-----------------------------------------------------------------------
#-----------------------------------------------------------------------
# Search for : Insecure configuration for --secure-file-priv: Data
# directory is accessible through --secure-file-priv.
# Consider choosing a different directory.
#-----------------------------------------------------------------------
# Search for : Insecure configuration for --secure-file-priv: Location
# is accessible to all OS users. Consider choosing a
# different directory.
#-----------------------------------------------------------------------
#-----------------------------------------------------------------------
# Test 2 : Restarting mysqld with :
# --secure-file-priv=MYSQLTEST_VARDIR/mysqld.1/Data
# Restart completed.
# Search for : Insecure configuration for --secure-file-priv: Data
# directory is accessible through --secure-file-priv.
# Consider choosing a different directory.
#-----------------------------------------------------------------------
--source include/no_valgrind_without_big.inc
--source include/not_embedded.inc
--echo #-----------------------------------------------------------------------
--echo # Setup
let restart_log= $MYSQLTEST_VARDIR/log/my_restart.err;
let SEARCH_FILE= $restart_log;
let $restart_file= $MYSQLTEST_VARDIR/tmp/mysqld.1.expect;
--echo # Try to restart server with invalid value for --secure-file-priv
--exec echo "wait" > $restart_file
--shutdown_server
--source include/wait_until_disconnected.inc
--error 0,1
--remove_file $restart_log
# Following should fail
--error 1
--exec $MYSQLD_CMD --secure-file-priv=blahblahblah --loose-console > $restart_log 2>&1
--echo # Search for : Failed to access directory for --secure-file-priv.
let SEARCH_PATTERN= Failed to access directory for --secure-file-priv;
--source include/search_pattern_in_file.inc
--remove_file $restart_log
--source include/wait_until_disconnected.inc
# Dummy argument for restart
--exec echo "restart:" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--enable_reconnect
--source include/wait_until_connected_again.inc
--disable_reconnect
--echo # Restart completed.
--echo # Restart
--disable_warnings
--source include/force_restart.inc
--enable_warnings
--echo #-----------------------------------------------------------------------
--source include/no_valgrind_without_big.inc
--source include/not_embedded.inc
--echo #-----------------------------------------------------------------------
--echo # Setup
let server_log= $MYSQLTEST_VARDIR/log/mysqld.1.err;
let SEARCH_FILE= $server_log;
let $restart_file= $MYSQLTEST_VARDIR/tmp/mysqld.1.expect;
--echo #-----------------------------------------------------------------------
--echo # Search for : --secure-file-priv is set to NULL. Operations
--echo # related to importing and exporting data are
--echo # disabled
let SEARCH_PATTERN= --secure-file-priv is set to NULL. Operations related to importing and exporting data are disabled;
--source include/search_pattern_in_file.inc
connect(test4_con,localhost,root,,,,,);
show variables like 'secure_file_priv';
use test;
--disable_warnings
drop table if exists secure_file_priv_test_null;
--enable_warnings
create table secure_file_priv_test_null(c1 int);
insert into secure_file_priv_test_null values (1), (2), (3), (4);
--error 1290
select * from secure_file_priv_test_null into outfile 'blah';
--error 1290
select * from secure_file_priv_test_null into outfile 'null/blah';
drop table secure_file_priv_test_null;
connection default;
disconnect test4_con;
--echo #-----------------------------------------------------------------------
--echo # Clean-up
--disable_warnings
--source include/force_restart.inc
--enable_warnings
--echo #-----------------------------------------------------------------------
--source include/no_valgrind_without_big.inc
--source include/not_embedded.inc
--echo #-----------------------------------------------------------------------
--echo # Setup
let server_log= $MYSQLTEST_VARDIR/log/mysqld.1.err;
let SEARCH_FILE= $server_log;
let $restart_file= $MYSQLTEST_VARDIR/tmp/mysqld.1.expect;
let PLUGIN_DIR= $MYSQLTEST_VARDIR/tmp;
--echo #-----------------------------------------------------------------------
--echo # Search for : Insecure configuration for --secure-file-priv: Current
--echo # value does not restrict location of generated files.
--echo # Consider setting it to a valid, non-empty path.
let SEARCH_PATTERN= Insecure configuration for --secure-file-priv: Current value does not restrict location of generated files. Consider setting it to a valid, non-empty path.;
--source include/search_pattern_in_file.inc
# Must show empty string
SHOW VARIABLES LIKE 'secure_file_priv';
--echo #-----------------------------------------------------------------------
let $restart_file= $MYSQLTEST_VARDIR/tmp/mysqld.1.expect;
--exec echo "wait" > $restart_file
--shutdown_server
--source include/wait_until_disconnected.inc
--remove_file $server_log
--exec echo "restart:--plugin-dir=$PLUGIN_DIR --secure-file-priv=$PLUGIN_DIR" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--enable_reconnect
--source include/wait_until_connected_again.inc
--disable_reconnect
--echo # Restart completed.
--echo # Search for : Insecure configuration for --secure-file-priv: Plugin
--echo # directory is accessible through --secure-file-priv.
--echo # Consider choosing a different directory.
let SEARCH_PATTERN= Insecure configuration for --secure-file-priv: Plugin directory is accessible through --secure-file-priv. Consider choosing a different directory.;
--source include/search_pattern_in_file.inc
--echo #-----------------------------------------------------------------------
--echo # Clean-up
--disable_warnings
--source include/force_restart.inc
--enable_warnings
--echo #-----------------------------------------------------------------------
--source include/no_valgrind_without_big.inc
--source include/not_windows.inc
--source include/not_embedded.inc
let server_log= $MYSQLTEST_VARDIR/log/mysqld.1.err;
let SEARCH_FILE= $server_log;
--echo #-----------------------------------------------------------------------
--echo # Search for : Insecure configuration for --secure-file-priv: Data
--echo # directory is accessible through --secure-file-priv.
--echo # Consider choosing a different directory.
let SEARCH_PATTERN= Insecure configuration for --secure-file-priv: Data directory is accessible through --secure-file-priv. Consider choosing a different directory.;
--source include/search_pattern_in_file.inc
--echo #-----------------------------------------------------------------------
--echo # Search for : Insecure configuration for --secure-file-priv: Location
--echo # is accessible to all OS users. Consider choosing a
--echo # different directory.
let SEARCH_PATTERN= Insecure configuration for --secure-file-priv: Location is accessible to all OS users. Consider choosing a different directory.;
--source include/search_pattern_in_file.inc
--echo #-----------------------------------------------------------------------
--source include/no_valgrind_without_big.inc
--source include/windows.inc
--source include/not_embedded.inc
let server_log= $MYSQLTEST_VARDIR/log/mysqld.1.err;
let SEARCH_FILE= $server_log;
--echo #-----------------------------------------------------------------------
--echo # Test 2 : Restarting mysqld with :
--echo # --secure-file-priv=MYSQLTEST_VARDIR/mysqld.1/Data
let $restart_file= $MYSQLTEST_VARDIR/tmp/mysqld.1.expect;
--exec echo "wait" > $restart_file
--shutdown_server
--source include/wait_until_disconnected.inc
--error 0,1
--remove_file $server_log
--exec echo "restart: --secure-file-priv=$MYSQLTEST_VARDIR/mysqld.1/Data" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--enable_reconnect
--source include/wait_until_connected_again.inc
--disable_reconnect
--echo # Restart completed.
--echo # Search for : Insecure configuration for --secure-file-priv: Data
--echo # directory is accessible through --secure-file-priv.
--echo # Consider choosing a different directory.
let SEARCH_PATTERN= Insecure configuration for --secure-file-priv: Data directory is accessible through --secure-file-priv. Consider choosing a different directory.;
--source include/search_pattern_in_file.inc
--disable_warnings
--source include/force_restart.inc
--enable_warnings
--echo #-----------------------------------------------------------------------
......@@ -30,6 +30,12 @@ install_db () {
if [ -x /usr/sbin/restorecon ]; then
/usr/sbin/restorecon "$datadir"
/usr/sbin/restorecon $log
for dir in /var/lib/mysql-files ; do
if [ -x /usr/sbin/semanage -a -d /var/lib/mysql -a -d $dir ] ; then
/usr/sbin/semanage fcontext -a -e /var/lib/mysql $dir >/dev/null 2>&1
/sbin/restorecon $dir
fi
done
fi
# If special mysql dir is in place, skip db install
......
......@@ -82,7 +82,15 @@ start(){
fi
chown mysql:mysql "$datadir"
chmod 0755 "$datadir"
[ -x /sbin/restorecon ] && /sbin/restorecon "$datadir"
if [ -x /sbin/restorecon ]; then
/sbin/restorecon "$datadir"
for dir in /var/lib/mysql-files ; do
if [ -x /usr/sbin/semanage -a -d /var/lib/mysql -a -d $dir ] ; then
/usr/sbin/semanage fcontext -a -e /var/lib/mysql $dir >/dev/null 2>&1
/sbin/restorecon $dir
fi
done
fi
# Now create the database
action $"Initializing MySQL database: " /usr/bin/mysql_install_db --rpm --datadir="$datadir" --user=mysql
ret=$?
......
......@@ -560,6 +560,7 @@ MBD=$RPM_BUILD_DIR/%{src_dir}
install -d -m 0755 %{buildroot}%{_datadir}/mysql/SELinux/RHEL4
install -d -m 0755 %{buildroot}/var/lib/mysql
install -d -m 0755 %{buildroot}/var/run/mysqld
install -d -m 0750 %{buildroot}/var/lib/mysql-files
# Install all binaries
cd $MBD/release
......@@ -790,6 +791,7 @@ fi
%attr(644, root, root) %config(noreplace,missingok) %{_sysconfdir}/logrotate.d/mysql
%dir %attr(755, mysql, mysql) /var/lib/mysql
%dir %attr(755, mysql, mysql) /var/run/mysqld
%dir %attr(750, mysql, mysql) /var/lib/mysql-files
%files common
%defattr(-, root, root, -)
......@@ -916,6 +918,9 @@ fi
%endif
%changelog
* Mon Sep 26 2016 Balasubramanian Kandasamy <balasubramanian.kandasamy@oracle.com> - 5.5.53-1
- Include mysql-files directory
* Tue Jul 05 2016 Balasubramanian Kandasamy <balasubramanian.kandasamy@oracle.com> - 5.5.51-1
- Remove mysql_config from client subpackage
......
......@@ -425,6 +425,7 @@ MBD=$RPM_BUILD_DIR/%{src_dir}
install -d -m 0755 %{buildroot}/var/lib/mysql
install -d -m 0755 %{buildroot}/var/run/mysql
install -d -m 0750 %{buildroot}/var/log/mysql
install -d -m 0750 %{buildroot}/var/lib/mysql-files
# Install all binaries
cd $MBD/release
......@@ -638,6 +639,7 @@ fi
%dir %attr(755, mysql, mysql) /var/lib/mysql
%dir %attr(755, mysql, mysql) /var/run/mysql
%dir %attr(750, mysql, mysql) /var/log/mysql
%dir %attr(750, mysql, mysql) /var/lib/mysql-files
%files common
%defattr(-, root, root, -)
......@@ -783,6 +785,9 @@ fi
%attr(755, root, root) %{_libdir}/mysql/libmysqld.so
%changelog
* Mon Sep 26 2016 Balasubramanian Kandasamy <balasubramanian.kandasamy@oracle.com> - 5.5.53-1
- Include mysql-files directory
* Tue Sep 29 2015 Balasubramanian Kandasamy <balasubramanian.kandasamy@oracle.com> - 5.5.47-1
- Added conflicts to mysql-connector-c-shared dependencies
......
#!/bin/sh
#
# Copyright (c) 2008, 2013, Oracle and/or its affiliates. All rights reserved.
# Copyright (c) 2008, 2016, Oracle and/or its affiliates. All rights reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
......@@ -26,6 +26,7 @@ mygroup=mysql
myuser=mysql
mydatadir=/var/lib/mysql
basedir=@@basedir@@
mysecurefiledir=/var/lib/mysql-files
if [ -n "$BASEDIR" ] ; then
basedir="$BASEDIR"
......@@ -58,6 +59,11 @@ fi
chown -R $myuser:$mygroup $mydatadir
# Create securefile directory
[ -d "$mysecurefiledir" ] || mkdir -p -m 770 "$mysecurefiledir" || exit 1
chown -R $myuser:$mygroup $mysecurefiledir
# Solaris patch 119255 (somewhere around revision 42) changes the behaviour
# of pkgadd to set TMPDIR internally to a root-owned install directory. This
# has the unfortunate side effect of breaking running mysql_install_db with
......
......@@ -570,6 +570,7 @@ uint mysql_real_data_home_len, mysql_data_home_len= 1;
uint reg_ext_length;
const key_map key_map_empty(0);
key_map key_map_full(0); // Will be initialized later
char secure_file_real_path[FN_REFLEN];
DATE_TIME_FORMAT global_date_format, global_datetime_format, global_time_format;
Time_zone *default_tz;
......@@ -7598,9 +7599,9 @@ bool is_secure_file_path(char *path)
char buff1[FN_REFLEN], buff2[FN_REFLEN];
size_t opt_secure_file_priv_len;
/*
All paths are secure if opt_secure_file_path is 0
All paths are secure if opt_secure_file_priv is 0
*/
if (!opt_secure_file_priv)
if (!opt_secure_file_priv[0])
return TRUE;
opt_secure_file_priv_len= strlen(opt_secure_file_priv);
......@@ -7608,6 +7609,9 @@ bool is_secure_file_path(char *path)
if (strlen(path) >= FN_REFLEN)
return FALSE;
if (!my_strcasecmp(system_charset_info, opt_secure_file_priv, "NULL"))
return FALSE;
if (my_realpath(buff1, path, 0))
{
/*
......@@ -7640,9 +7644,184 @@ bool is_secure_file_path(char *path)
}
/**
check_secure_file_priv_path : Checks path specified through
--secure-file-priv and raises warning in following cases:
1. If path is empty string or NULL and mysqld is not running
with --bootstrap mode.
2. If path can access data directory
3. If path points to a directory which is accessible by
all OS users (non-Windows build only)
It throws error in following cases:
1. If path normalization fails
2. If it can not get stats of the directory
@params NONE
Assumptions :
1. Data directory path has been normalized
2. opt_secure_file_priv has been normalized unless it is set
to "NULL".
@returns Status of validation
@retval true : Validation is successful with/without warnings
@retval false : Validation failed. Error is raised.
*/
bool check_secure_file_priv_path()
{
char datadir_buffer[FN_REFLEN+1]={0};
char plugindir_buffer[FN_REFLEN+1]={0};
char whichdir[20]= {0};
size_t opt_plugindir_len= 0;
size_t opt_datadir_len= 0;
size_t opt_secure_file_priv_len= 0;
bool warn= false;
bool case_insensitive_fs;
#ifndef _WIN32
MY_STAT dir_stat;
#endif
if (!opt_secure_file_priv[0])
{
if (opt_bootstrap)
{
/*
Do not impose --secure-file-priv restriction
in --bootstrap mode
*/
sql_print_information("Ignoring --secure-file-priv value as server is "
"running with --bootstrap.");
}
else
{
sql_print_warning("Insecure configuration for --secure-file-priv: "
"Current value does not restrict location of generated "
"files. Consider setting it to a valid, "
"non-empty path.");
}
return true;
}
/*
Setting --secure-file-priv to NULL would disable
reading/writing from/to file
*/
if(!my_strcasecmp(system_charset_info, opt_secure_file_priv, "NULL"))
{
sql_print_information("--secure-file-priv is set to NULL. "
"Operations related to importing and exporting "
"data are disabled");
return true;
}
/*
Check if --secure-file-priv can access data directory
*/
opt_secure_file_priv_len= strlen(opt_secure_file_priv);
/*
Adds dir seperator at the end.
This is required in subsequent comparison
*/
convert_dirname(datadir_buffer, mysql_unpacked_real_data_home, NullS);
opt_datadir_len= strlen(datadir_buffer);
case_insensitive_fs=
(test_if_case_insensitive(datadir_buffer) == 1);
if (!case_insensitive_fs)
{
if (!strncmp(datadir_buffer, opt_secure_file_priv,
opt_datadir_len < opt_secure_file_priv_len ?
opt_datadir_len : opt_secure_file_priv_len))
{
warn= true;
strcpy(whichdir, "Data directory");
}
}
else
{
if (!files_charset_info->coll->strnncoll(files_charset_info,
(uchar *) datadir_buffer,
opt_datadir_len,
(uchar *) opt_secure_file_priv,
opt_secure_file_priv_len,
TRUE))
{
warn= true;
strcpy(whichdir, "Data directory");
}
}
/*
Don't bother comparing --secure-file-priv with --plugin-dir
if we already have a match against --datadir or
--plugin-dir is not pointing to a valid directory.
*/
if (!warn && !my_realpath(plugindir_buffer, opt_plugin_dir, 0))
{
convert_dirname(plugindir_buffer, plugindir_buffer, NullS);
opt_plugindir_len= strlen(plugindir_buffer);
if (!case_insensitive_fs)
{
if (!strncmp(plugindir_buffer, opt_secure_file_priv,
opt_plugindir_len < opt_secure_file_priv_len ?
opt_plugindir_len : opt_secure_file_priv_len))
{
warn= true;
strcpy(whichdir, "Plugin directory");
}
}
else
{
if (!files_charset_info->coll->strnncoll(files_charset_info,
(uchar *) plugindir_buffer,
opt_plugindir_len,
(uchar *) opt_secure_file_priv,
opt_secure_file_priv_len,
TRUE))
{
warn= true;
strcpy(whichdir, "Plugin directory");
}
}
}
if (warn)
sql_print_warning("Insecure configuration for --secure-file-priv: "
"%s is accessible through "
"--secure-file-priv. Consider choosing a different "
"directory.", whichdir);
#ifndef _WIN32
/*
Check for --secure-file-priv directory's permission
*/
if (!(my_stat(opt_secure_file_priv, &dir_stat, MYF(0))))
{
sql_print_error("Failed to get stat for directory pointed out "
"by --secure-file-priv");
return false;
}
if (dir_stat.st_mode & S_IRWXO)
sql_print_warning("Insecure configuration for --secure-file-priv: "
"Location is accessible to all OS users. "
"Consider choosing a different directory.");
#endif
return true;
}
static int fix_paths(void)
{
char buff[FN_REFLEN],*pos;
bool secure_file_priv_nonempty= false;
convert_dirname(mysql_home,mysql_home,NullS);
/* Resolve symlinks to allow 'mysql_home' to be a relative symlink */
my_realpath(mysql_home,mysql_home,MYF(0));
......@@ -7700,28 +7879,55 @@ static int fix_paths(void)
Convert the secure-file-priv option to system format, allowing
a quick strcmp to check if read or write is in an allowed dir
*/
if (opt_secure_file_priv)
if (opt_bootstrap)
opt_secure_file_priv= EMPTY_STR.str;
secure_file_priv_nonempty= opt_secure_file_priv[0] ? true : false;
if (secure_file_priv_nonempty && strlen(opt_secure_file_priv) > FN_REFLEN)
{
if (*opt_secure_file_priv == 0)
sql_print_warning("Value for --secure-file-priv is longer than maximum "
"limit of %d", FN_REFLEN-1);
return 1;
}
memset(buff, 0, sizeof(buff));
if (secure_file_priv_nonempty &&
my_strcasecmp(system_charset_info, opt_secure_file_priv, "NULL"))
{
int retval= my_realpath(buff, opt_secure_file_priv, MYF(MY_WME));
if (!retval)
{
convert_dirname(secure_file_real_path, buff, NullS);
#ifdef WIN32
MY_DIR *dir= my_dir(secure_file_real_path, MYF(MY_DONT_SORT+MY_WME));
if (!dir)
{
my_free(opt_secure_file_priv);
opt_secure_file_priv= 0;
retval= 1;
}
else
{
if (strlen(opt_secure_file_priv) >= FN_REFLEN)
opt_secure_file_priv[FN_REFLEN-1]= '\0';
if (my_realpath(buff, opt_secure_file_priv, 0))
my_dirend(dir);
}
#endif
}
if (retval)
{
sql_print_warning("Failed to normalize the argument for --secure-file-priv.");
char err_buffer[FN_REFLEN];
my_snprintf(err_buffer, FN_REFLEN-1,
"Failed to access directory for --secure-file-priv."
" Please make sure that directory exists and is "
"accessible by MySQL Server. Supplied value : %s",
opt_secure_file_priv);
err_buffer[FN_REFLEN-1]='\0';
sql_print_error("%s", err_buffer);
return 1;
}
char *secure_file_real_path= (char *)my_malloc(FN_REFLEN, MYF(MY_FAE));
convert_dirname(secure_file_real_path, buff, NullS);
my_free(opt_secure_file_priv);
opt_secure_file_priv= secure_file_real_path;
}
}
if (!check_secure_file_priv_path())
return 1;
return 0;
}
......
......@@ -68,6 +68,8 @@
char internal_table_name[2]= "*";
char empty_c_string[1]= {0}; /* used for not defined db */
LEX_STRING EMPTY_STR= { (char *) "", 0 };
const char * const THD::DEFAULT_WHERE= "field list";
......
......@@ -105,6 +105,7 @@ enum enum_filetype { FILETYPE_CSV, FILETYPE_XML };
extern char internal_table_name[2];
extern char empty_c_string[1];
extern LEX_STRING EMPTY_STR;
extern MYSQL_PLUGIN_IMPORT const char **errmesg;
extern bool volatile shutdown_in_progress;
......
......@@ -1941,8 +1941,12 @@ static Sys_var_charptr Sys_secure_file_priv(
"secure_file_priv",
"Limit LOAD DATA, SELECT ... OUTFILE, and LOAD_FILE() to files "
"within specified directory",
PREALLOCATED READ_ONLY GLOBAL_VAR(opt_secure_file_priv),
CMD_LINE(REQUIRED_ARG), IN_FS_CHARSET, DEFAULT(0));
READ_ONLY GLOBAL_VAR(opt_secure_file_priv),
#ifndef EMBEDDED_LIBRARY
CMD_LINE(REQUIRED_ARG), IN_FS_CHARSET, DEFAULT(DEFAULT_SECURE_FILE_PRIV_DIR));
#else
CMD_LINE(REQUIRED_ARG), IN_FS_CHARSET, DEFAULT(DEFAULT_SECURE_FILE_PRIV_EMBEDDED_DIR));
#endif
static bool fix_server_id(sys_var *self, THD *thd, enum_var_type type)
{
......
# Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
# Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
......@@ -562,6 +562,7 @@ install -d $RBR%{_includedir}
install -d $RBR%{_libdir}
install -d $RBR%{_mandir}
install -d $RBR%{_sbindir}
install -d $RBR/var/lib/mysql-files
mkdir -p $RBR%{_sysconfdir}/my.cnf.d
......@@ -1141,6 +1142,7 @@ echo "=====" >> $STATUS_HISTORY
%attr(755, root, root) %{_sysconfdir}/init.d/mysql
%attr(755, root, root) %{_datadir}/mysql/
%dir %attr(750, mysql, mysql) /var/lib/mysql-files
# ----------------------------------------------------------------------------
%files -n MySQL-client%{product_suffix}
......@@ -1226,6 +1228,9 @@ echo "=====" >> $STATUS_HISTORY
# merging BK trees)
##############################################################################
%changelog
* Mon Sep 26 2016 Balasubramanian Kandasamy <balasubramanian.kandasamy@oracle.com>
- Include mysql-files directory
* Wed Jul 02 2014 Bjorn Munch <bjorn.munch@oracle.com>
- Disable dtrace unconditionally, breaks after we install Oracle dtrace
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment