MySQL – Internal Database in Replication

MySQLreplicationSecurity

I searched around but the word game seems to delude any valid result and could not find anything relevant.

Mysql (the RDBMS) has an internal database named mysql, this database has information about the users and as far as I know, information and settings about the server running the RDBMS.

Background Info

In our set up we have a few MySQL 5.5 servers and one test MySQL 5.6 server.

Replication is set up so that the 5.6 is a slave of one of the 5.5

Incident

This week the replication to the 5.6 stopped working, when doing a show slave status this error was reported:

Error: Error Column count doesnt match value count at row 1 on query. 
Default database: mysql. 
Query: INSERT INTO tmp_user VALUES (localhost,root,,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,,,,,0,0,0,0,,)

When I checked, the mysql database did not have a tmp_user table, however the error is that the column count doesnt match, what I expected was for the error to be that the table did not exist (Error 1146).

Another conclusion that I gathered from this situation is that we are replicating the database mysql.

Questions

Is there any concern/benefit in replicating the mysql database?
Do you see this scenario as an injection attack? or a security concern?
(Perhaps I am missing a scenario where creating/populating/deleting a tmp_user table is
normal)

Thanks for your time

Best Answer

Yeah, what the heck is tmp_user? This smells like an attack. And I suspect it was successful. He probably already got in -- all he had to do was to try different flavors of the INSERT based on different versions. The one successful insert would suffice. Then he RENAMEs tables, does damage, rename tables back, DROPs evidence of his naughtiness, and vanishes. That insert looks like he could log in with all permissions and no password. Once he has SUPER he can do nasties like read all files (including /etc/passwd) on your system. Who knows what other goodies he found on your machine. Nice trick.

How did he get this far?

Port 3306 is not firewalled from people outside your building.
some non-root mysql 'user' has too much access to the mysql database. Possibly you simply did GRANT ALL ON *.* to ... for each application 'user'? Instead, use ON dbname.*; that would at least prevent messing around in mysql.
Perhaps SQL injection allowed CREATE TABLE mysql.tmp_user ... to be performed from your externally facing UI. Escape all user-provided strings. Don't allow multiple statements to be executed in a single command.

Replicating the mysql database has benefits and drawbacks, especially between different versions.

(plus) GRANTs, etc, are propagated to the slaves
(minus) the structure of mysql tables sometimes changes between major (eg, 5.5 to 5.6) versions, thereby disallowing direct manipulation of mysql tables.

Related Solutions

Thesql replication successful but slave not replicating

The output you presented is very confusing. On one hand, the master shows:

mysql-bin.000001   639495

The slave's PROCESSLIST indicates that replication works (the IO thread is connected to the master, the SQL thread is waiting).

The slave's SHOW SLAVE STATUS again claims all is well, but the master's position is 106.

Are all these outputs issued at roughly the same time? If not, then they are not valuable.

I would check the following:

The obvious: is 109.123.100.58 really your master?
Does SHOW PROCESSLIST on master list the connection made by the slave under the replica user?
Do you have different server-id settings for master and slave?
Do you have any replicate-do-* or replicate-ignore-* settings in your mysql.cnf file?

MySQL 5.6: explicit_defaults_for_timestamp

I had the same problem, tried to change the sql_mode but didn't work, then changed the explicit_defaults_for_timestamp to 0 and worked!!!, but I encourage you to read the following to understand the issue: http://openbedrock.blogspot.mx/2015/04/what-happened-to-mysql-timestamp-columns.html and https://dev.mysql.com/doc/refman/5.7/en/sql-mode.html