5.2 Ensure 'FILE' is Not Granted to Non-Administrative Users

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The FILE privilege is used to allow or disallow a user from reading and writing files on the server host. Any user with the FILE right granted has the ability to:

Read files from the local file system that are readable by the MariaDB server (this includes world-readable files).

Write files to the local file system where the MariaDB server has write access.

Rationale:

The FILE right allows MariaDB users to read files from disk and to write files to disk. This may be leveraged by an attacker to further compromise MariaDB. It should be noted that the MariaDB server should not overwrite existing files.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Perform the following steps to remediate this setting:

Enumerate the non-administrative users found in the result set of the audit procedure.

For each user, issue the following SQL statement (replace <user> with the non-administrative user):

REVOKE FILE ON *.* FROM '<user>';

See Also

https://workbench.cisecurity.org/benchmarks/12270