How can I get around MySQL Errcode 13 with SELECT INTO OUTFILE?

sql

file-system-permissions

mysql-errorcode-13

apparmor

byAlex Kataev·Nov 26, 2024

To effectively get around the MySQL Errcode 13, you need to ensure that your MySQL user has FILE privilege and the server has the authority to write to the targeted directory. However, if these remedies are not fruitful, command-line redirection offers a suitable workaround.

mysql -u user -p -e "SELECT * FROM table1" > /target/path/file.txt

Ensure you substitute user, table1 and /target/path/file.txt with your actual username, preferred table, and file path in respect.

Diving into File System Permissions

Errcode 13 mainly arises due to file system permission issues or when security modules, including AppArmor or SELinux, restrict access. You can bypass this hurdle using the following system-level changes under proper security supervision.

Working with AppArmor

Verify its active status through sudo aa-status
Scan /var/log/auth.log or /var/log/messages for any AppArmor denied messages related to mysqld.
Update /etc/apparmor.d/usr.sbin.mysqld by adding your directory to this file and restart the service.

Optionally, use these commands to grant MySQL access to the directory /dir/path:

sudo aa-complain /usr/sbin/mysqld
echo "/dir/path/** rw," | sudo tee -a /etc/apparmor.d/usr.sbin.mysqld
sudo aa-enforce /usr/sbin/mysqld

Unleashing SELinux Power

Confirm its active status using getenforce.
To grant access, tweak the necessary file context and apply changes using restorecon.

Remember, also verify permissions at the OS level, ensuring the MySQL server user has read, write, and execute permissions on your directory's parent directories.

The mysqldump Alternative

When permission tweaking is not an option, or stringent security policies exist, consider the simple workaround of using mysqldump with the -T option.

mysqldump -u user -p my_database my_table --fields-terminated-by=',' --tab=/target/path

Replace user, my_database, my_table, and /target/path with your actual values.

Working Green in Non-Permissive Environments

In case of stringent environments, you still have a way out.

A. Alternative Data Extraction

Leverage mysql command-line redirection, offering a sneak peek into a real-life ninja bypassing mission.

B. Directory Bind Mounts

Use the mount --bind source_dir target_dir command to mislead MySQL into writing on a permitted directory.

C. Secure File Privilege

Here, you'll control SELECT INTO OUTFILE rights through configuring secure_file_priv in my.cnf:

[mysqld]
secure_file_priv="/var/lib/mysql-files"

Contemplating Security Implications

Although it's great to circumvent error roadblocks fast, don't ignore the security implications of these wide-ranging permission changes. Always bear in mind the associated risks when allotting broader privileges or deactivating security modules.

A Deeper Dive into Comprehensive Checks

Thorough systems checks come in handy:

Confirm ownership and permissions recursively for nested target directories.
When working on AppArmor profiles, restrict changes to only allow necessary elements.
Always stay posted on MySQL version updates for any version-specific limitations.

Efficient Troubleshooting Guide

Sure-fire steps when issues crop up:

Keenly monitor logs: Always crosscheck system logs (/var/log) for any traces of permission or security module restrictions.
Consult documentation: MySQL's official documentation offers depth on specifics related to your MySQL version.
Consider server updates: Be cognizant of changes to AppArmor or security policies on updates and how they relate to MySQL.