Mysql – FILE privilege still allows for file writing on server (localhost)


I created a user without the FILE privilege, and a web app connected to the DB with this user is still able to write text files on my localhost. To write these files, the program just uses fopen and fwrite.

I'm reading the document here, and it seems to me that FILE allows query-level file-writing/reading LOAD DATA INFILE. Am I interpreting this right?

Best Answer

Please note the FILE privilege as described in the Documentation

The FILE privilege gives you permission to read and write files on the server host using the LOAD DATA INFILE and SELECT ... INTO OUTFILE statements and the LOAD_FILE() function. A user who has the FILE privilege can read any file on the server host that is either world-readable or readable by the MySQL server. (This implies the user can read any file in any database directory, because the server can access any of those files.) The FILE privilege also enables the user to create new files in any directory where the MySQL server has write access. This includes the server's data directory containing the files that implement the privilege tables. As a security measure, the server will not overwrite existing files.

The context here refers to the DB User being able to read and write files on the DB Server using

These commands have their fopen and fwrite commands issued from the mysqld server daemon, not the client program. Your web application is not restricted in any way from reading and writing ordinary files because you are doing so from the application layer, not the DB layer. If you click on each link to those three(3) commands, the FILE privilege is specifically mentioned.