SQLAlchemy fails for MySQL 5.7.8 with a security error

Mike Bayer repo owner

most disturbingly, the docs right here: https://dev.mysql.com/doc/refman/5.7/en/show-variables.html which have a big note about the new / but going away "show compatibility" flag at the top, leads right into the second paragraph:

SHOW VARIABLES shows the values of MySQL system variables (see Section 5.1.4, “Server System Variables”). This statement does not require any privilege. It requires only the ability to connect to the server.

which is obviously a lie. the blog post you refer to at http://code.openark.org/blog/mysql/baffling-5-7-globalstatus-variables-issues-unclean-migration-path is one of very few articles about this change as of yet, but I'm not able to follow the author's fairly hysterical style of writing. Rails seems like they want to just replace this with a SELECT from @@, I guess they are trying to support DBs that have this flag set that way, but...I disagree with that.

Looking at https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_show_compatibility_56, it appears that they've reversed themselves on this decision:

When show_compatibility_56=OFF, the SHOW VARIABLES and SHOW STATUS statements display rows from the Performance Schema global_variables, session_variables, global_status, and session_status tables.

As of MySQL 5.7.9, those tables are world readable and accessible without the SELECT privilege, which means that SELECT is not needed to use the SHOW statements, either. Before MySQL 5.7.9, the SELECT privilege is required to access those Performance Schema tables, either directly, or indirectly through the SHOW statements.

but...the current release is 5.7.8.

So I'd advise setting show_compatibility_56 = on in /etc/my.cnf . I'm guessing I'm going to hear about this more, though I don't yet see anything I want to do in SQLA (at most, I'd put some docs in). The reason I don't even want to put docs in is because, I've found that in the past I tend to write the best docs on these database gotchas out of anyone, and then people googling for info find our docs for it even though they're not using SQLAlchemy. Oracle would appear to have flat out broken the SHOW VARIABLES statement, and this is going to break a lot more than replication. We'll see how much this gets reported.

2015-08-31T20:39:39+00:00

Comments (6)

Mike Bayer repo owner
most disturbingly, the docs right here: https://dev.mysql.com/doc/refman/5.7/en/show-variables.html which have a big note about the new / but going away "show compatibility" flag at the top, leads right into the second paragraph:

SHOW VARIABLES shows the values of MySQL system variables (see Section 5.1.4, “Server System Variables”). This statement does not require any privilege. It requires only the ability to connect to the server.

which is obviously a lie. the blog post you refer to at http://code.openark.org/blog/mysql/baffling-5-7-globalstatus-variables-issues-unclean-migration-path is one of very few articles about this change as of yet, but I'm not able to follow the author's fairly hysterical style of writing. Rails seems like they want to just replace this with a SELECT from @@, I guess they are trying to support DBs that have this flag set that way, but...I disagree with that.

Looking at https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_show_compatibility_56, it appears that they've reversed themselves on this decision:

When show_compatibility_56=OFF, the SHOW VARIABLES and SHOW STATUS statements display rows from the Performance Schema global_variables, session_variables, global_status, and session_status tables.

As of MySQL 5.7.9, those tables are world readable and accessible without the SELECT privilege, which means that SELECT is not needed to use the SHOW statements, either. Before MySQL 5.7.9, the SELECT privilege is required to access those Performance Schema tables, either directly, or indirectly through the SHOW statements.

but...the current release is 5.7.8.

So I'd advise setting show_compatibility_56 = on in /etc/my.cnf . I'm guessing I'm going to hear about this more, though I don't yet see anything I want to do in SQLA (at most, I'd put some docs in). The reason I don't even want to put docs in is because, I've found that in the past I tend to write the best docs on these database gotchas out of anyone, and then people googling for info find our docs for it even though they're not using SQLAlchemy. Oracle would appear to have flat out broken the SHOW VARIABLES statement, and this is going to break a lot more than replication. We'll see how much this gets reported.
- 2015-08-31T20:39:39+00:00
Mike Bayer repo owner
- changed status to closed
going to stay quiet about Oracle breaking the world for everyone until the information becomes more widespread.
- 2015-08-31T20:40:05+00:00
Mike Bayer repo owner
Also, you can just do the GRANT, simple enough: "GRANT SELECT ON performance_schema.global_variables TO '...' ", as long as you're using 5.7.8.
- 2015-08-31T20:44:30+00:00
Joseph Schorr reporter
Would the grant be allowed with the non-root user? If so, that seems a good workaround.
- 2015-08-31T20:46:33+00:00
Mike Bayer repo owner
to actually run the grant you need administrator privileges
- 2015-08-31T20:56:15+00:00
Joseph Schorr reporter
Right, which also allows the original call to work. I guess, for now, we'll have to have customers either set the flag manually or add the grant manually.
- 2015-08-31T20:59:56+00:00
Log in to comment