I am writing this quick post to share what I think is a problematic new behavior of Offline Mode in MySQL 9. Basically, the new default behavior in MySQL 9 is to write the username of the user which set offline_mode to ON. I think this behavior has not been considered from a security point of view because it leaks a root username in the error message presented to the users.
My attention was brought to this subject by the Oracle MySQL Blog post Offline mode error improvement. I think it is interesting to expose a reason about why a MySQL instance is offline (or read only), but I think exposing the user is a problematic default behavior.
Let's assume the owner of a MySQL instance delegates the administration of their instance (to Percona as an example). A classic way to implement this would be to create a user for this delegation (percona_admin). If for any reason, the percona_admin user sets the instance as offline, the delegation would be exposed by the error message, which might be unwanted by the owner.
For this, I opened Bug #116850 : Error message ER_SERVER_OFFLINE_MODE_USER leaks a root username.
Update : the bug above was made private by MySQL Verification Team. The reason is not super clear to me at this point.
I understand the user is not exposed when adding a reason for setting the instance offline, but how to set such reason is currently not documented. For this I opened Bug #116849 : Missing documentation (or link) for setting global variable attributes.
Hopefully, both above will be addressed before MySQL 9 reaches LTS.
No comments:
Post a Comment