mysql security
TRANSCRIPT
![Page 1: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/1.jpg)
MySQL SecurityDomas Mituzas, Sun Microsystems
![Page 2: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/2.jpg)
Me
• MySQL Support Security Coordinator (role)
• Did lots of security consulting and systems design work before
• Would prefer not to work on protection. Productivity is so much more fun!
![Page 3: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/3.jpg)
What it is
• Safety of host system
• Safety of MySQL within host system
• Internal MySQL security capabilities
![Page 4: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/4.jpg)
Host system security
• MySQL #1 in shared hosting environments (lots of long-term exposure to attackers)
• Has dangerous features allowing external file access, and possibly - code execution
![Page 5: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/5.jpg)
User-defined functions
• Allows executing external code
• Checks for _init symbol to guard against malicious UDF specifications
• Some system libraries can be used to run arbitrary code this way
• Fix: 5.0.70, plugin_dir
![Page 6: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/6.jpg)
Arbitrary paths
• DATA/INDEX DIRECTORY = /dev/shm
• Allows access outside of datadir
• Problem - can lead to DoS
• Fix - --skip-symbolic-links
![Page 7: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/7.jpg)
FILE privilege
• LOAD DATA & INTO OUTFILE
• Allows access to non-DB files, allows creation of files too
• Especially dangerous with writable ~mysql
• Can be used to craft evil data files/frm/etc
• Fix: --secure-file-priv=/somewhere/outside
![Page 8: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/8.jpg)
YaSSL
• The known major use (as a server) - just inside MySQL
• Security cautious might want to use OpenSSL for SSL needs (more audited)
• Does not cause much harm if disabled
![Page 9: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/9.jpg)
LOAD DATA LOCAL• Malicious servers can read data from client
filesystems
• Every program, every API should have this disabled by default
• Overlooked by many distributions/software/etc too many times
• No --enable-local-infile builds and MYSQL_OPT_LOCAL_INFILE,0 helps
![Page 10: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/10.jpg)
External libraries
• DNS: --skip-name-resolve
• libc, zlib, openssl
![Page 11: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/11.jpg)
Additional host security
• Better constraining of MySQL is helpful
• SELinux (support-files/RHEL4-SElinux)
• AppArmor
• Stack guarding compilers
• -fstack-protector-all - Ubuntu, etc
• x86_64 NX
![Page 12: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/12.jpg)
AppArmor/usr/sbin/mysqld { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/user-tmp> #include <abstractions/mysql>
capability dac_override, capability setgid, capability setuid,
...
...
/etc/mysql/** r, /usr/sbin/mysqld mr, /usr/share/mysql/** r, /var/lib/mysql/ r, /var/lib/mysql/** rwk, /var/log/mysql/ r, /var/log/mysql/* rw, /var/run/mysqld/mysqld.pid w, /var/run/mysqld/mysqld.sock w,}
(Ubuntu, SuSE)
![Page 13: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/13.jpg)
OOM
• Trivial to send MySQL out-of-memory
• Megabyte query on an empty table can consume gigabyte of RAM
• max_allowed_packet can help
• If system is supposed to do other work, ulimit’ing memory is good practice
![Page 14: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/14.jpg)
Inside the system• MySQL is as secure as a host it runs on
• All data files are portable
• ACLs can be edited with a simple editor (one can reset root password with ‘vi’)
• Debuggers have lots of power (symbols available, source open, ptrace(), kmem, ...)
• Plaintext data transfer (except for SSL)
• Hash+network snooping enough to log in
![Page 15: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/15.jpg)
Blackbox• Encrypted file systems alleviate data risks in
case of hardware theft
• Stripping debugging symbols makes tracing much more complicated (not impossible for anyone with disassembler)
• --disable-grant-options stop the most easy ACL reset method
• OS allows stripping super-user capabilities
![Page 16: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/16.jpg)
Entering the MySQL
• Users are identified by name+host pair
• Access from unauthorized hosts immediately rejected, before any handshake
• Wildcards can be used for subnets (no CIDR notation though), and subdomains
• Reverse DNS check does bidirectional lookup
![Page 17: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/17.jpg)
Authentication• 4.0 hash can be used to log in
• 4.1 password hashes can be used to login only in case of intercepted network traffic (challenge + response + storedhash = passcode)
• Possible to trap required hash with debugger/trace
• SSL solves all that, as long as crypto is safe
![Page 18: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/18.jpg)
4.1 PASSWORD()
public_seed=create_random_string()
passphrase=sha1("password")
storedhash=sha1(passphrase)
reply=xor(passphrase, sha1(public_seed,storedhash)
passphrase=xor(reply, sha1(public_seed,storedhash))
sha1(passphrase)==storedhash \o/
![Page 19: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/19.jpg)
Authorization
• ACLs are global, database, table/view, column and at stored-routine level
• They just add up, no exclusions are possible
• ROLEs are not there, 3rd party patches include such functionality (Google v3)
• ACLs stay in memory, so better to keep them lean
![Page 20: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/20.jpg)
Grants
• Some grants are more problematic than others
• Some grants grew their power with features
![Page 21: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/21.jpg)
SUPER saga
• It was fairly limited and safe grant once upon a time
• Allows bypassing max_connections (once)
• KILL, PURGE MASTER LOGS, SET GLOBAL, CHANGE MASTER, DEFINER, BINLOG, triggers, SET LOG-BIN, read_only
![Page 22: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/22.jpg)
SUPER saga is long
• Active SUPER connection will block access to other SUPERs if max_conns run out
• KILLing SUPER-users is fun too! ;-)
• PURGE MASTER LOGS - destroying audit info (one can cripple the index to disable this)
• DEFINER specifications escalate privileges
![Page 23: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/23.jpg)
Very long
• BINLOG command allows changing any data (BUG#31611), mysql.user too
• CHANGE MASTER can point to malicious binlog servers (firewalls help here)
• Triggers can be used to execute dirty work as other users
• Disable audit (binlog) for the session
![Page 24: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/24.jpg)
SUPER must die
• It was not supposed to be ultimate super-user, just few SUPER-like rights
• It was much safer in 4.0 (and even 4.1)
• We’re moving away some of actions from SUPER (monitoring used to ask for it)
• Needs reworking of grants system
![Page 25: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/25.jpg)
FILE
• --secure-file-priv is a must
• Data leaks and code executions possible otherwise
![Page 26: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/26.jpg)
PROCESS
• Allows seeing data in processlists
• Got InnoDB status moved over to it (from SUPER...)
• In case of system slowdowns (intentional or not) sensitive data can appear
![Page 27: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/27.jpg)
RELOAD
• Allows FLUSH commands - resetting host error counts, reloading privileges, flushing table data to disk, etc
• Helpful access when attacking a system :)
• = SIGHUP in few cases
![Page 28: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/28.jpg)
REPLICATION SLAVE
• Allows reading binary log information - all statement data, etc
• “SHOW BINLOG EVENTS” can be used by unsophisticated attackers
![Page 29: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/29.jpg)
INSERT & UPDATE
• If given at global level (*.*), lead immediately to privilege escalation via mysql.* tables
![Page 30: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/30.jpg)
TRIGGER
• Since 5.1, it can be used to set actions for other users
• Used to be part of SUPER in 5.0
![Page 31: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/31.jpg)
EVENT
• Allows background execution of tasks
• Can be used for timing attacks, injecting bombs, etc
![Page 32: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/32.jpg)
SHUTDOWN
• Can turn server off
• Most isolated/secure privilege out there
![Page 33: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/33.jpg)
GRANT OPTION
• Allows giving same rights as executor’s
• Needs ‘CREATE USER’ privilege to be able to create new users
• Needs access to mysql.* to reset password
• Grants can be revoked from anyone, including ‘root’, so there would be no way to set them back (except mysql.user edits)
![Page 34: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/34.jpg)
Default users
• ‘’@localhost, ‘’@hostname - access to test
• root@localhost, root@hostname - superuser without password
DROP USER ''@localhost;DROP USER ''@localhostname;SET PASSWORD FOR root@localhost = PASSWORD('new password');DROP USER root@localhostname; -- (or set password)
![Page 35: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/35.jpg)
Resource control
• It is minimal
• Users can change session buffers
• Max can be specified:
• --maximum-sort-buffer-size
• Apparently this isn’t documented :(
![Page 36: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/36.jpg)
Security features
• AES_ENCRYPT, DES_ENCRYPT, etc
• SHA1, MD5, etc
• SSL
• Views, triggers, procedures and functions
![Page 37: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/37.jpg)
SSL
• Can request users to have a verifiable client certificate
• ... issued by specific CA
• ... with specific Subject Name
• ... and even ask password on top
![Page 38: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/38.jpg)
SSL Example
• GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost'
• IDENTIFIED BY 'goodsecret'
• REQUIRE SUBJECT '/C=EE/ST=Some-State/L=Tallinn/
• O=MySQL demo client certificate/
• CN=Tonu Samuel/[email protected]'
• AND ISSUER '/C=FI/ST=Some-State/L=Helsinki/
• O=MySQL Finland AB/CN=Tonu Samuel/[email protected]'
• AND CIPHER 'EDH-RSA-DES-CBC3-SHA';
![Page 39: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/39.jpg)
SSL will not
• by default check if server’s certificate subject name matches server hostname
• can be set for regular clients, but replication setup does not have such option - would have to use server’s public key as CA public key
• provide pure SSL port - so SSL will always have to be done by MySQL library
![Page 40: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/40.jpg)
Views, functions, procedures
• Can be executed either in definer or executor security contexts
• Can allow horizontal and vertical table data security
• Can execute procedures on tables user does not have access to
![Page 41: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/41.jpg)
Auditing
• Binlog (unsafe)
• General query log (possible to turn off in 5.1)
• SUPER audit (Google patch, v1)
• Triggers
![Page 42: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/42.jpg)
SQL injections• MySQL by default does not allow multiple
statements (though, can be changed with connection flag) - good! Really!
• Prepared statements are widely used to guard against this
• Escaping rules are character set specific (can of worms)
• INFORMATION_SCHEMA is too revealing
![Page 43: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/43.jpg)
Summary
• It is not that bad (I don’t have much work at security team)
• Defaults could be better though
• Developers have great attitude to security issues (thanks Serg!)
![Page 44: MySQL Security](https://reader030.vdocuments.mx/reader030/viewer/2022020207/55908d3d1a28ab7a6d8b45ad/html5/thumbnails/44.jpg)
Questions?
• domas at sun dot com
• http://dammit.lt/ & http://mysql.com/
• Report security vulnerabilities:
• security at mysql dot com