I am writing this quick post to share what I think is a problematic new behavior of Offline Mode in MySQL 9. Basically, the new default behavior in MySQL 9 is to write the username of the user which set offline_mode to ON. I think this behavior has not been considered from a security point of view because it leaks a root username in the error message presented to the users.
My attention was brought to this subject by the Oracle MySQL Blog post Offline mode error improvement. I think it is interesting to expose a reason about why a MySQL instance is offline (or read only), but I think exposing the user is a problematic default behavior.
Let's assume the owner of a MySQL instance delegates the administration of their instance (to Percona as an example). A classic way to implement this would be to create a user for this delegation (percona_admin). If for any reason, the percona_admin user sets the instance as offline, the delegation would be exposed by the error message, which might be unwanted by the owner.
For this, I opened Bug #116850 : Error message ER_SERVER_OFFLINE_MODE_USER leaks a root username.
Update : the bug above was made private by MySQL Verification Team. The reason is not super clear to me at this point.
I understand the user is not exposed when adding a reason for setting the instance offline, but how to set such reason is currently not documented. For this I opened Bug #116849 : Missing documentation (or link) for setting global variable attributes.
Hopefully, both above will be addressed before MySQL 9 reaches LTS.
I think we need to distinguish 2 different aspects of this:
ReplyDelete1. what is reported to the user, should not include internal information (so no user information)
2. what is reported in logging, should include relevant information (as this is useful for the DBA/administrator for forensics).
I've already requested from MySQL that things like stop/start replica commands should indicate the user which triggers this action (in logging) as in some cases I may delegate this functionality to specific users for specific reasons and it's good to know the source of the action.
For a similar reason it would be good to know the source of the action to set a server into offline mode or to move back to "normal mode", and while that information could/should be indicated in logging I agree with JF that exposing it to non-administrative type users would not be appropriate.