How to disable LOCAL INFILE in MySql 5.5 Ubuntu 12.04

mysql security configuration ubuntu-12.04
5,207

From MySQL Docs for load_file reference, it can be seen that load_file is MySQL function that returns content of the file as string. It does nothing more than that. It has nothing to do with local_infile.

For security purpose, from same docs:

If the secure_file_priv system variable is set to a nonempty directory name, the file to be loaded must be located in that directory.

So if you set the system variable "secure_file_priv", then file has to be present in that particular directory. Moreover, user requires File level privileges to execute this statement. Simply do not give file level privileges to your users who are accessing database, if you want it to be secured.

Further local-infile is for LOAD DATA statements, which loads data into table, thereby affecting tables. It has nothing to do with load_file() function.

Share:
5,207

Related videos on Youtube

FoREacH
Author by

FoREacH

Updated on September 18, 2022

Comments

  • FoREacH
    FoREacH over 1 year

    Cannot disable LOCAL INFILE ( for security reasons ) in mysql Ver 14.14 Distrib 5.5.25a, for debian-linux-gnu (i686) using readline 6.2 on ubuntu 12.04; Here is my /etc/mysql/my.cnf

    [client]
port            = 3306
socket          = /var/run/mysqld/mysqld.sock
loose-local-infile=0
local-infile=0

[mysqld_safe]
socket          = /var/run/mysqld/mysqld.sock
nice            = 0

[mysqld]
local-infile=0
user            = mysql
pid-file        = /var/run/mysqld/mysqld.pid
socket          = /var/run/mysqld/mysqld.sock
port            = 3306
basedir         = /usr
datadir         = /var/lib/mysql
tmpdir          = /tmp
lc-messages-dir = /usr/share/mysql
skip-external-locking

    I do 

    sudo /etc/init.d/mysql restart

mysql -u root -p

mysql> SELECT load_file("/etc/passwd");

    And it shows me my /etc/passwd content. So it didn't work.

    • Admin
      Admin over 11 years
      before firing your select query, try the statement "show variables like "load_infile"" and check if your change has taken effect or not.
    • Admin
      Admin over 11 years
      SHOW VARIABLES shows | local_infile | OFF
    • Admin
      Admin over 11 years
      LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE table1 -> ; ERROR 1148 (42000): The used command is not allowed with this MySQL version ===> ALL WORKS, but SELECT load_file("/etc/passwd"); loads file !
    • Admin
      Admin over 11 years
      This belongs on Ask Ubuntu.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Is it safe to open port 3306 in Firewall for external MySQL Connection
password limitations in SQL Server and MySql
proper IIS 6 configuration for forms authentication
Using mysql_real_escape_string with PDO (no connection to localhost server)
Granting mysql access rights to all machines on subnet
Access AWS RDS from Private Subnet
How to use AES_ENCRYPT properly?
How can I configure two Spring security http elements with different authentication filters?
What's the difference between PHP's addslashes and mysql(i)_escape_string?
Make php files hidden from outside world