diff options
| author | Jon Olav Hauglid <jon.hauglid@oracle.com> | 2016-08-16 15:35:19 +0200 |
|---|---|---|
| committer | Jon Olav Hauglid <jon.hauglid@oracle.com> | 2016-08-19 09:09:07 +0200 |
| commit | 033b11912121ad2c1dbd4a93202eeac196124801 (patch) | |
| tree | 7027148b568b465c2a2ed0a93461663d8f931c3e /mysys | |
| parent | 8b1f4d84cafe393e92f942278f9f020a62ceb5b9 (diff) | |
| download | mariadb-git-033b11912121ad2c1dbd4a93202eeac196124801.tar.gz | |
Bug#24388746: PRIVILEGE ESCALATION AND RACE CONDITION USING CREATE TABLE
During REPAIR TABLE of a MyISAM table, a temporary data file (.TMD)
is created. When repair finishes, this file is renamed to the original
.MYD file. The problem was that during this rename, we copied the
stats from the old file to the new file with chmod/chown. If a user
managed to replace the temporary file before chmod/chown was executed,
it was possible to get an arbitrary file with the privileges of the
mysql user.
This patch fixes the problem by not copying stats from the old
file to the new file. This is not needed as the new file was
created with the correct stats. This fix only changes server
behavior - external utilities such as myisamchk still does
chmod/chown.
No test case provided since the problem involves synchronization
with file system operations.
Diffstat (limited to 'mysys')
| -rw-r--r-- | mysys/my_redel.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/mysys/my_redel.c b/mysys/my_redel.c index a47df8265c8..25391cd4e8f 100644 --- a/mysys/my_redel.c +++ b/mysys/my_redel.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -35,6 +35,9 @@ struct utimbuf { if MY_REDEL_MAKE_COPY is given, then the orginal file is renamed to org_name-'current_time'.BAK + + if MY_REDEL_NO_COPY_STAT is given, stats are not copied + from org_name to tmp_name. */ #define REDEL_EXT ".BAK" @@ -46,8 +49,11 @@ int my_redel(const char *org_name, const char *tmp_name, myf MyFlags) DBUG_PRINT("my",("org_name: '%s' tmp_name: '%s' MyFlags: %d", org_name,tmp_name,MyFlags)); - if (my_copystat(org_name,tmp_name,MyFlags) < 0) - goto end; + if (!(MyFlags & MY_REDEL_NO_COPY_STAT)) + { + if (my_copystat(org_name,tmp_name,MyFlags) < 0) + goto end; + } if (MyFlags & MY_REDEL_MAKE_BACKUP) { char name_buff[FN_REFLEN+20]; |