The recent Cpanel/WHM Restore Account Root Exploit has brought my attention to system commands execution, so let me ask you: do you know that you cannot prevent this behavior? Seriously, there are no documented option to do it and disable system commands execution in standard MySQL client. Well, at least you couldn’t do it until now.

Referred exploit does exist because MySQL grants were restored as root, meaning that you could execute local commands as root (REALLY DANGEROUS), e.g:

~ # cat test.sql 
SHOW DATABASES LIKE '%blablabla%' \! id -u
~ # mysql < test.sql 
0

Like I said before, there was no option to disable system commands so I patched the client by myself, e.g:

╭─ ~/tmp/mariadb/mariadb-5.5.31-safe-client ‹ruby-2.0.0› 
╰─$ ./client/mysql -h '127.0.0.1' -e '\! id -u'
500
╭─ ~/tmp/mariadb/mariadb-5.5.31-safe-client ‹ruby-2.0.0› 
╰─$ sudo ./client/mysql -h '127.0.0.1' -e '\! id -u'
ERROR at line 1: Sorry, but you cannot execute commands as root user.
╭─ ~/tmp/mariadb/mariadb-5.5.31-safe-client ‹ruby-2.0.0› 
╰─$

Here is the patch:

Get latest MariaDB 5.5 source and patch client/mysql.cc. You’d be able to use mysql client even if you’re using Oracle’s MySQL Community Server. Please note that only MariaDB mysql client is patched right now.

If you’re using Cpanel/WHM, you’re welcome to put MariaDB in any other directory like /opt/mariadb, compile and patch it – do not replace your MySQL installation unless you have a good reason.. Then modify Cpanel::DbUtils module to use new mysql client version editing /usr/local/cpanel/Cpanel/DbUtils.pm and changing from this

#mysql client
sub find_mysql        { _find_bin('mysql'); }

To this

#mysql client
sub find_mysql        { "/opt/mariadb/client/mysql"; }

And that’s it.