Bug#24707666: DEFAULT SETTING FOR SECURE-FILE-PRIV SHOULD BE

              RESTRICTED IN ALL GA RELEASES

Back port of WL#6782 to 5.5 and 5.6. This also includes
back port of Bug#20771331, Bug#20741572 and Bug#20770671.
Bug#24695274 and Bug#24679907 are also handled along with
this.

cmake/install_layout.cmake

-# Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved.
 # 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -22,7 +22,7 @@
 #    and relative links.  Windows zip uses the same tarball layout but without
 #    the build prefix.
 #
-#  RPM
+#  RPM, SLES
 #    Build as per default RPM layout, with prefix=/usr
 #    Note: The layout for ULN RPMs differs, see the "RPM" section.
 #
@@ -32,10 +32,22 @@
 #  SVR4
 #    Solaris package layout suitable for pkg* tools, prefix=/opt/mysql/mysql
 #
+#  FREEBSD, GLIBC, OSX, TARGZ
+#    Build with prefix=/usr/local/mysql, create tarball with install prefix="."
+#    and relative links.
+#
+#  WIN
+#     Windows zip : same as tarball layout but without the build prefix
+#
 # To force a directory layout, use -DINSTALL_LAYOUT=<layout>.
 #
 # The default is STANDALONE.
 #
+# Note : At present, RPM and SLES layouts are similar. This is also true
+#        for layouts like FREEBSD, GLIBC, OSX, TARGZ. However, they provide
+#        opportunity to fine-tune deployment for each platform without
+#        affecting all other types of deployment.
+#
 # There is the possibility to further fine-tune installation directories.
 # Several variables can be overwritten:
 #
@@ -60,6 +72,7 @@
 # - INSTALL_SUPPORTFILESDIR (various extra support files)
 #
 # - INSTALL_MYSQLDATADIR    (data directory)
+# - INSTALL_SECURE_FILE_PRIVDIR (--secure-file-priv directory)
 #
 # When changing this page,  _please_ do not forget to update public Wiki
 # http://forge.mysql.com/wiki/CMake#Fine-tuning_installation_paths
@@ -69,10 +82,11 @@ IF(NOT INSTALL_LAYOUT)
 ENDIF()
 
 SET(INSTALL_LAYOUT "${DEFAULT_INSTALL_LAYOUT}"
-CACHE STRING "Installation directory layout. Options are: STANDALONE (as in zip or tar.gz installer), RPM, DEB, SVR4")
+CACHE STRING "Installation directory layout. Options are: TARGZ (as in tar.gz installer), WIN (as in zip installer), STANDALONE, RPM, DEB, SVR4, FREEBSD, GLIBC, OSX, SLES")
 
 IF(UNIX)
-  IF(INSTALL_LAYOUT MATCHES "RPM")
+  IF(INSTALL_LAYOUT MATCHES "RPM" OR
+     INSTALL_LAYOUT MATCHES "SLES")
     SET(default_prefix "/usr")
   ELSEIF(INSTALL_LAYOUT MATCHES "DEB")
     SET(default_prefix "/opt/mysql/server-${MYSQL_BASE_VERSION}")
@@ -87,7 +101,7 @@ IF(UNIX)
     SET(CMAKE_INSTALL_PREFIX ${default_prefix}
       CACHE PATH "install prefix" FORCE)
   ENDIF()
-  SET(VALID_INSTALL_LAYOUTS "RPM" "STANDALONE" "DEB" "SVR4")
+  SET(VALID_INSTALL_LAYOUTS "RPM" "DEB" "SVR4" "FREEBSD" "GLIBC" "OSX" "TARGZ" "SLES" "STANDALONE")
   LIST(FIND VALID_INSTALL_LAYOUTS "${INSTALL_LAYOUT}" ind)
   IF(ind EQUAL -1)
     MESSAGE(FATAL_ERROR "Invalid INSTALL_LAYOUT parameter:${INSTALL_LAYOUT}."
@@ -99,6 +113,15 @@ IF(UNIX)
   MARK_AS_ADVANCED(SYSCONFDIR)
 ENDIF()
 
+IF(WIN32)
+  SET(VALID_INSTALL_LAYOUTS "TARGZ" "STANDALONE" "WIN")
+  LIST(FIND VALID_INSTALL_LAYOUTS "${INSTALL_LAYOUT}" ind)
+  IF(ind EQUAL -1)
+    MESSAGE(FATAL_ERROR "Invalid INSTALL_LAYOUT parameter:${INSTALL_LAYOUT}."
+    " Choose between ${VALID_INSTALL_LAYOUTS}" )
+  ENDIF()
+ENDIF()
+
 #
 # plugin_tests's value should not be used by imported plugins,
 # just use if(INSTALL_PLUGINTESTDIR).
@@ -109,6 +132,22 @@ FILE(GLOB plugin_tests
   ${CMAKE_SOURCE_DIR}/internal/plugin/*/tests
 )
 
+#
+# DEFAULT_SECURE_FILE_PRIV_DIR/DEFAULT_SECURE_FILE_PRIV_EMBEDDED_DIR
+#
+IF(INSTALL_LAYOUT MATCHES "STANDALONE" OR
+   INSTALL_LAYOUT MATCHES "WIN")
+  SET(secure_file_priv_path "NULL")
+ELSEIF(INSTALL_LAYOUT MATCHES "RPM" OR
+       INSTALL_LAYOUT MATCHES "SLES" OR
+       INSTALL_LAYOUT MATCHES "SVR4" OR
+       INSTALL_LAYOUT MATCHES "DEB")
+  SET(secure_file_priv_path "/var/lib/mysql-files")
+ELSE()
+  SET(secure_file_priv_path "${default_prefix}/mysql-files")
+ENDIF()
+SET(secure_file_priv_embedded_path "NULL")
+
 #
 # STANDALONE layout
 #
@@ -134,6 +173,148 @@ SET(INSTALL_SUPPORTFILESDIR_STANDALONE  "support-files")
 #
 SET(INSTALL_MYSQLDATADIR_STANDALONE     "data")
 SET(INSTALL_PLUGINTESTDIR_STANDALONE    ${plugin_tests})
+SET(INSTALL_SECURE_FILE_PRIVDIR_STANDALONE ${secure_file_priv_path})
+SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_STANDALONE ${secure_file_priv_embedded_path})
+
+#
+# WIN layout
+#
+SET(INSTALL_BINDIR_WIN           "bin")
+SET(INSTALL_SBINDIR_WIN          "bin")
+SET(INSTALL_SCRIPTDIR_WIN        "scripts")
+#
+SET(INSTALL_LIBDIR_WIN           "lib")
+SET(INSTALL_PLUGINDIR_WIN        "lib/plugin")
+#
+SET(INSTALL_INCLUDEDIR_WIN       "include")
+#
+SET(INSTALL_DOCDIR_WIN           "docs")
+SET(INSTALL_DOCREADMEDIR_WIN     ".")
+SET(INSTALL_MANDIR_WIN           "man")
+SET(INSTALL_INFODIR_WIN          "docs")
+#
+SET(INSTALL_SHAREDIR_WIN         "share")
+SET(INSTALL_MYSQLSHAREDIR_WIN    "share")
+SET(INSTALL_MYSQLTESTDIR_WIN     "mysql-test")
+SET(INSTALL_SQLBENCHDIR_WIN      ".")
+SET(INSTALL_SUPPORTFILESDIR_WIN  "support-files")
+#
+SET(INSTALL_MYSQLDATADIR_WIN     "data")
+SET(INSTALL_PLUGINTESTDIR_WIN    ${plugin_tests})
+SET(INSTALL_SECURE_FILE_PRIVDIR_WIN ${secure_file_priv_path})
+SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_WIN ${secure_file_priv_embedded_path})
+
+#
+# FREEBSD layout
+#
+SET(INSTALL_BINDIR_FREEBSD           "bin")
+SET(INSTALL_SBINDIR_FREEBSD          "bin")
+SET(INSTALL_SCRIPTDIR_FREEBSD        "scripts")
+#
+SET(INSTALL_LIBDIR_FREEBSD           "lib")
+SET(INSTALL_PLUGINDIR_FREEBSD        "lib/plugin")
+#
+SET(INSTALL_INCLUDEDIR_FREEBSD       "include")
+#
+SET(INSTALL_DOCDIR_FREEBSD           "docs")
+SET(INSTALL_DOCREADMEDIR_FREEBSD     ".")
+SET(INSTALL_MANDIR_FREEBSD           "man")
+SET(INSTALL_INFODIR_FREEBSD          "docs")
+#
+SET(INSTALL_SHAREDIR_FREEBSD         "share")
+SET(INSTALL_MYSQLSHAREDIR_FREEBSD    "share")
+SET(INSTALL_MYSQLTESTDIR_FREEBSD     "mysql-test")
+SET(INSTALL_SQLBENCHDIR_FREEBSD      ".")
+SET(INSTALL_SUPPORTFILESDIR_FREEBSD  "support-files")
+#
+SET(INSTALL_MYSQLDATADIR_FREEBSD     "data")
+SET(INSTALL_PLUGINTESTDIR_FREEBSD    ${plugin_tests})
+SET(INSTALL_SECURE_FILE_PRIVDIR_FREEBSD ${secure_file_priv_path})
+SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_FREEBSD ${secure_file_priv_embedded_path})
+
+#
+# GLIBC layout
+#
+SET(INSTALL_BINDIR_GLIBC           "bin")
+SET(INSTALL_SBINDIR_GLIBC          "bin")
+SET(INSTALL_SCRIPTDIR_GLIBC        "scripts")
+#
+SET(INSTALL_LIBDIR_GLIBC           "lib")
+SET(INSTALL_PLUGINDIR_GLIBC        "lib/plugin")
+#
+SET(INSTALL_INCLUDEDIR_GLIBC       "include")
+#
+SET(INSTALL_DOCDIR_GLIBC           "docs")
+SET(INSTALL_DOCREADMEDIR_GLIBC     ".")
+SET(INSTALL_MANDIR_GLIBC           "man")
+SET(INSTALL_INFODIR_GLIBC          "docs")
+#
+SET(INSTALL_SHAREDIR_GLIBC         "share")
+SET(INSTALL_MYSQLSHAREDIR_GLIBC    "share")
+SET(INSTALL_MYSQLTESTDIR_GLIBC     "mysql-test")
+SET(INSTALL_SQLBENCHDIR_GLIBC      ".")
+SET(INSTALL_SUPPORTFILESDIR_GLIBC  "support-files")
+#
+SET(INSTALL_MYSQLDATADIR_GLIBC     "data")
+SET(INSTALL_PLUGINTESTDIR_GLIBC    ${plugin_tests})
+SET(INSTALL_SECURE_FILE_PRIVDIR_GLIBC ${secure_file_priv_path})
+SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_GLIBC ${secure_file_priv_embedded_path})
+
+#
+# OSX layout
+#
+SET(INSTALL_BINDIR_OSX           "bin")
+SET(INSTALL_SBINDIR_OSX          "bin")
+SET(INSTALL_SCRIPTDIR_OSX        "scripts")
+#
+SET(INSTALL_LIBDIR_OSX           "lib")
+SET(INSTALL_PLUGINDIR_OSX        "lib/plugin")
+#
+SET(INSTALL_INCLUDEDIR_OSX       "include")
+#
+SET(INSTALL_DOCDIR_OSX           "docs")
+SET(INSTALL_DOCREADMEDIR_OSX     ".")
+SET(INSTALL_MANDIR_OSX           "man")
+SET(INSTALL_INFODIR_OSX          "docs")
+#
+SET(INSTALL_SHAREDIR_OSX         "share")
+SET(INSTALL_MYSQLSHAREDIR_OSX    "share")
+SET(INSTALL_MYSQLTESTDIR_OSX     "mysql-test")
+SET(INSTALL_SQLBENCHDIR_OSX      ".")
+SET(INSTALL_SUPPORTFILESDIR_OSX  "support-files")
+#
+SET(INSTALL_MYSQLDATADIR_OSX     "data")
+SET(INSTALL_PLUGINTESTDIR_OSX    ${plugin_tests})
+SET(INSTALL_SECURE_FILE_PRIVDIR_OSX ${secure_file_priv_path})
+SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_OSX ${secure_file_priv_embedded_path})
+
+#
+# TARGZ layout
+#
+SET(INSTALL_BINDIR_TARGZ           "bin")
+SET(INSTALL_SBINDIR_TARGZ          "bin")
+SET(INSTALL_SCRIPTDIR_TARGZ        "scripts")
+#
+SET(INSTALL_LIBDIR_TARGZ           "lib")
+SET(INSTALL_PLUGINDIR_TARGZ        "lib/plugin")
+#
+SET(INSTALL_INCLUDEDIR_TARGZ       "include")
+#
+SET(INSTALL_DOCDIR_TARGZ           "docs")
+SET(INSTALL_DOCREADMEDIR_TARGZ     ".")
+SET(INSTALL_MANDIR_TARGZ           "man")
+SET(INSTALL_INFODIR_TARGZ          "docs")
+#
+SET(INSTALL_SHAREDIR_TARGZ         "share")
+SET(INSTALL_MYSQLSHAREDIR_TARGZ    "share")
+SET(INSTALL_MYSQLTESTDIR_TARGZ     "mysql-test")
+SET(INSTALL_SQLBENCHDIR_TARGZ      ".")
+SET(INSTALL_SUPPORTFILESDIR_TARGZ  "support-files")
+#
+SET(INSTALL_MYSQLDATADIR_TARGZ     "data")
+SET(INSTALL_PLUGINTESTDIR_TARGZ    ${plugin_tests})
+SET(INSTALL_SECURE_FILE_PRIVDIR_TARGZ ${secure_file_priv_path})
+SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_TARGZ ${secure_file_priv_embedded_path})
 
 #
 # RPM layout
@@ -169,6 +350,41 @@ SET(INSTALL_SUPPORTFILESDIR_RPM         "share/mysql")
 #
 SET(INSTALL_MYSQLDATADIR_RPM            "/var/lib/mysql")
 SET(INSTALL_PLUGINTESTDIR_RPM           ${plugin_tests})
+SET(INSTALL_SECURE_FILE_PRIVDIR_RPM     ${secure_file_priv_path})
+SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_RPM     ${secure_file_priv_embedded_path})
+
+#
+# SLES layout
+#
+SET(INSTALL_BINDIR_SLES                  "bin")
+SET(INSTALL_SBINDIR_SLES                 "sbin")
+SET(INSTALL_SCRIPTDIR_SLES               "bin")
+#
+IF(CMAKE_SYSTEM_PROCESSOR MATCHES "x86_64")
+  SET(INSTALL_LIBDIR_SLES                "lib64")
+  SET(INSTALL_PLUGINDIR_SLES             "lib64/mysql/plugin")
+ELSE()
+  SET(INSTALL_LIBDIR_SLES                "lib")
+  SET(INSTALL_PLUGINDIR_SLES             "lib/mysql/plugin")
+ENDIF()
+#
+SET(INSTALL_INCLUDEDIR_SLES              "include/mysql")
+#
+#SET(INSTALL_DOCDIR_SLES                 unset - installed directly by SLES)
+#SET(INSTALL_DOCREADMEDIR_SLES           unset - installed directly by SLES)
+SET(INSTALL_INFODIR_SLES                 "share/info")
+SET(INSTALL_MANDIR_SLES                  "share/man")
+#
+SET(INSTALL_SHAREDIR_SLES                "share")
+SET(INSTALL_MYSQLSHAREDIR_SLES           "share/mysql")
+SET(INSTALL_MYSQLTESTDIR_SLES            "share/mysql-test")
+SET(INSTALL_SQLBENCHDIR_SLES             "")
+SET(INSTALL_SUPPORTFILESDIR_SLES         "share/mysql")
+#
+SET(INSTALL_MYSQLDATADIR_SLES            "/var/lib/mysql")
+SET(INSTALL_PLUGINTESTDIR_SLES           ${plugin_tests})
+SET(INSTALL_SECURE_FILE_PRIVDIR_SLES     ${secure_file_priv_path})
+SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_SLES     ${secure_file_priv_embedded_path})
 
 #
 # DEB layout
@@ -193,8 +409,10 @@ SET(INSTALL_MYSQLTESTDIR_DEB            "mysql-test")
 SET(INSTALL_SQLBENCHDIR_DEB             ".")
 SET(INSTALL_SUPPORTFILESDIR_DEB         "support-files")
 #
-SET(INSTALL_MYSQLDATADIR_DEB            "data")
+SET(INSTALL_MYSQLDATADIR_DEB            "/var/lib/mysql")
 SET(INSTALL_PLUGINTESTDIR_DEB           ${plugin_tests})
+SET(INSTALL_SECURE_FILE_PRIVDIR_DEB     ${secure_file_priv_path})
+SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_DEB     ${secure_file_priv_embedded_path})
 
 #
 # SVR4 layout
@@ -221,7 +439,8 @@ SET(INSTALL_SUPPORTFILESDIR_SVR4        "support-files")
 #
 SET(INSTALL_MYSQLDATADIR_SVR4           "/var/lib/mysql")
 SET(INSTALL_PLUGINTESTDIR_SVR4          ${plugin_tests})
-
+SET(INSTALL_SECURE_FILE_PRIVDIR_SVR4    ${secure_file_priv_path})
+SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_SVR4    ${secure_file_priv_embedded_path})
 
 # Clear cached variables if install layout was changed
 IF(OLD_INSTALL_LAYOUT)
@@ -235,8 +454,29 @@ SET(OLD_INSTALL_LAYOUT ${INSTALL_LAYOUT} CACHE INTERNAL "")
 # will be defined  as ${INSTALL_BINDIR_STANDALONE} by default if STANDALONE
 # layout is chosen)
 FOREACH(var BIN SBIN LIB MYSQLSHARE SHARE PLUGIN INCLUDE SCRIPT DOC MAN
-  INFO MYSQLTEST SQLBENCH DOCREADME SUPPORTFILES MYSQLDATA PLUGINTEST)
+  INFO MYSQLTEST SQLBENCH DOCREADME SUPPORTFILES MYSQLDATA PLUGINTEST
+  SECURE_FILE_PRIV SECURE_FILE_PRIV_EMBEDDED)
   SET(INSTALL_${var}DIR  ${INSTALL_${var}DIR_${INSTALL_LAYOUT}}
   CACHE STRING "${var} installation directory" ${FORCE})
   MARK_AS_ADVANCED(INSTALL_${var}DIR)
 ENDFOREACH()
+
+#
+# Set DEFAULT_SECURE_FILE_PRIV_DIR
+# This is used as default value for --secure-file-priv
+#
+IF(INSTALL_SECURE_FILE_PRIVDIR)
+  SET(DEFAULT_SECURE_FILE_PRIV_DIR "\"${INSTALL_SECURE_FILE_PRIVDIR}\""
+      CACHE INTERNAL "default --secure-file-priv directory" FORCE)
+ELSE()
+  SET(DEFAULT_SECURE_FILE_PRIV_DIR \"\"
+      CACHE INTERNAL "default --secure-file-priv directory" FORCE)
+ENDIF()
+
+IF(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR)
+  SET(DEFAULT_SECURE_FILE_PRIV_EMBEDDED_DIR "\"${INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR}\""
+    CACHE INTERNAL "default --secure-file-priv directory (for embedded library)" FORCE)
+ELSE()
+  SET(DEFAULT_SECURE_FILE_PRIV_EMBEDDED_DIR "NULL"
+    CACHE INTERNAL "default --secure-file-priv directory (for embedded library)" FORCE)
+ENDIF()

config.h.cmake

@@ -624,4 +624,8 @@
 #cmakedefine SIZEOF_TIME_T @SIZEOF_TIME_T@
 #cmakedefine TIME_T_UNSIGNED @TIME_T_UNSIGNED@
 
+/* For --secure-file-priv */
+#cmakedefine DEFAULT_SECURE_FILE_PRIV_DIR @DEFAULT_SECURE_FILE_PRIV_DIR@
+#cmakedefine DEFAULT_SECURE_FILE_PRIV_EMBEDDED_DIR @DEFAULT_SECURE_FILE_PRIV_EMBEDDED_DIR@
+
 #endif

mysql-test/include/mtr_warnings.sql

--- Copyright (c) 2008, 2011, Oracle and/or its affiliates. All rights reserved.
+-- Copyright (c) 2008, 2016, Oracle and/or its affiliates. All rights reserved.
 --
 -- This program is free software; you can redistribute it and/or modify
 -- it under the terms of the GNU General Public License as published by
@@ -204,6 +204,11 @@ INSERT INTO global_suppressions VALUES
   */
  ("Found lock of type 6 that is write and read locked"),
 
+ /*
+  Warnings related to --secure-file-priv
+ */
+ ("Insecure configuration for --secure-file-priv:*"),
+
  ("THE_LAST_SUPPRESSION")||
 
 

mysql-test/include/mysqld--help.inc

@@ -18,7 +18,8 @@ perl;
   # their paths may vary:
   @skipvars=qw/basedir open-files-limit general-log-file log plugin-dir
                log-slow-queries pid-file slow-query-log-file
-			   datadir slave-load-tmpdir tmpdir socket/;
+			   datadir slave-load-tmpdir tmpdir socket
+			   secure-file-priv/;
 
   # Plugins which may or may not be there:
   @plugins=qw/innodb ndb archive blackhole federated partition ndbcluster debug temp-pool ssl des-key-file

mysql-test/mysql-test-run.pl

 #!/usr/bin/perl
 # -*- cperl -*-
 
-# Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1823,6 +1823,7 @@ sub collect_mysqld_features {
   mtr_init_args(\$args);
   mtr_add_arg($args, "--no-defaults");
   mtr_add_arg($args, "--datadir=%s", mixed_path($tmpdir));
+  mtr_add_arg($args, "--secure-file-priv=\"\"");
   mtr_add_arg($args, "--lc-messages-dir=%s", $path_language);
   mtr_add_arg($args, "--skip-grant-tables");
   mtr_add_arg($args, "--verbose");
@@ -3297,6 +3298,7 @@ sub mysql_install_db {
   mtr_add_arg($args, "--loose-skip-falcon");
   mtr_add_arg($args, "--loose-skip-ndbcluster");
   mtr_add_arg($args, "--tmpdir=%s", "$opt_vardir/tmp/");
+  mtr_add_arg($args, "--secure-file-priv=%s", "$opt_vardir");
   mtr_add_arg($args, "--core-file");
 
   if ( $opt_debug )

mysql-test/r/mysqld--help-notwin.result

@@ -923,7 +923,6 @@ report-user (No default value)
 rpl-recovery-rank 0
 safe-user-create FALSE
 secure-auth FALSE
-secure-file-priv (No default value)
 server-id 0
 show-slave-auth-info FALSE
 skip-grant-tables TRUE

mysql-test/r/mysqld--help-win.result

@@ -931,7 +931,6 @@ report-user (No default value)
 rpl-recovery-rank 0
 safe-user-create FALSE
 secure-auth FALSE
-secure-file-priv (No default value)
 server-id 0
 shared-memory FALSE
 shared-memory-base-name MYSQL

mysql-test/suite/auth_sec/r/secure_file_priv_error.result

+#-----------------------------------------------------------------------
+# Setup
+# Try to restart server with invalid value for --secure-file-priv
+# Search for : Failed to access directory for --secure-file-priv.
+# Restart completed.
+# Restart
+#-----------------------------------------------------------------------

mysql-test/suite/auth_sec/r/secure_file_priv_null.result

+#-----------------------------------------------------------------------
+# Setup
+#-----------------------------------------------------------------------
+# Search for : --secure-file-priv is set to NULL. Operations
+#              related to importing and exporting data are
+#              disabled
+show variables like 'secure_file_priv';
+Variable_name	Value
+secure_file_priv	null
+use test;
+drop table if exists secure_file_priv_test_null;
+create table secure_file_priv_test_null(c1 int);
+insert into secure_file_priv_test_null values (1), (2), (3), (4);
+select * from secure_file_priv_test_null into outfile 'blah';
+ERROR HY000: The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
+select * from secure_file_priv_test_null into outfile 'null/blah';
+ERROR HY000: The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
+drop table secure_file_priv_test_null;
+#-----------------------------------------------------------------------
+# Clean-up
+#-----------------------------------------------------------------------

mysql-test/suite/auth_sec/r/secure_file_priv_warnings.result

+#-----------------------------------------------------------------------
+# Setup
+#-----------------------------------------------------------------------
+# Search for : Insecure configuration for --secure-file-priv: Current
+#              value does not restrict location of generated files.
+#              Consider setting it to a valid, non-empty path.
+SHOW VARIABLES LIKE 'secure_file_priv';
+Variable_name	Value
+secure_file_priv	
+#-----------------------------------------------------------------------
+# Restart completed.
+# Search for : Insecure configuration for --secure-file-priv: Plugin
+#              directory is accessible through --secure-file-priv.
+#              Consider choosing a different directory.
+#-----------------------------------------------------------------------
+# Clean-up
+#-----------------------------------------------------------------------

mysql-test/suite/auth_sec/r/secure_file_priv_warnings_not_win.result

+#-----------------------------------------------------------------------
+# Search for : Insecure configuration for --secure-file-priv: Data
+#              directory is accessible through --secure-file-priv.
+#              Consider choosing a different directory.
+#-----------------------------------------------------------------------
+# Search for : Insecure configuration for --secure-file-priv: Location
+#              is accessible to all OS users. Consider choosing a
+#              different directory.
+#-----------------------------------------------------------------------

mysql-test/suite/auth_sec/r/secure_file_priv_warnings_win.result

+#-----------------------------------------------------------------------
+# Test 2 : Restarting mysqld with :
+#          --secure-file-priv=MYSQLTEST_VARDIR/mysqld.1/Data
+# Restart completed.
+# Search for : Insecure configuration for --secure-file-priv: Data
+#              directory is accessible through --secure-file-priv.
+#              Consider choosing a different directory.
+#-----------------------------------------------------------------------

mysql-test/suite/auth_sec/t/secure_file_priv_error.test

+--source include/no_valgrind_without_big.inc
+--source include/not_embedded.inc
+
+--echo #-----------------------------------------------------------------------
+--echo # Setup
+let restart_log= $MYSQLTEST_VARDIR/log/my_restart.err;
+let SEARCH_FILE= $restart_log;
+let $restart_file= $MYSQLTEST_VARDIR/tmp/mysqld.1.expect;
+
+--echo # Try to restart server with invalid value for --secure-file-priv
+--exec echo "wait" > $restart_file
+--shutdown_server
+--source include/wait_until_disconnected.inc
+
+--error 0,1
+--remove_file $restart_log
+# Following should fail
+--error 1
+--exec $MYSQLD_CMD --secure-file-priv=blahblahblah --loose-console > $restart_log 2>&1
+
+--echo # Search for : Failed to access directory for --secure-file-priv.
+let SEARCH_PATTERN= Failed to access directory for --secure-file-priv;
+--source include/search_pattern_in_file.inc
+
+--remove_file $restart_log
+
+--source include/wait_until_disconnected.inc
+# Dummy argument for restart
+--exec echo "restart:" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
+--enable_reconnect
+--source include/wait_until_connected_again.inc
+--disable_reconnect
+--echo # Restart completed.
+
+--echo # Restart
+--disable_warnings
+--source include/force_restart.inc
+--enable_warnings
+--echo #-----------------------------------------------------------------------

mysql-test/suite/auth_sec/t/secure_file_priv_null-master.opt

+--secure-file-priv=null

mysql-test/suite/auth_sec/t/secure_file_priv_null.test

+--source include/no_valgrind_without_big.inc
+--source include/not_embedded.inc
+
+--echo #-----------------------------------------------------------------------
+--echo # Setup
+let server_log= $MYSQLTEST_VARDIR/log/mysqld.1.err;
+let SEARCH_FILE= $server_log;
+let $restart_file= $MYSQLTEST_VARDIR/tmp/mysqld.1.expect;
+--echo #-----------------------------------------------------------------------
+
+--echo # Search for : --secure-file-priv is set to NULL. Operations
+--echo #              related to importing and exporting data are
+--echo #              disabled
+let SEARCH_PATTERN= --secure-file-priv is set to NULL. Operations related to importing and exporting data are disabled;
+--source include/search_pattern_in_file.inc
+
+connect(test4_con,localhost,root,,,,,);
+show variables like 'secure_file_priv';
+
+use test;
+--disable_warnings
+drop table if exists secure_file_priv_test_null;
+--enable_warnings
+create table secure_file_priv_test_null(c1 int);
+insert into secure_file_priv_test_null values (1), (2), (3), (4);
+--error 1290
+select * from secure_file_priv_test_null into outfile 'blah';
+--error 1290
+select * from secure_file_priv_test_null into outfile 'null/blah';
+drop table secure_file_priv_test_null;
+
+connection default;
+disconnect test4_con;
+
+--echo #-----------------------------------------------------------------------
+
+--echo # Clean-up
+--disable_warnings
+--source include/force_restart.inc
+--enable_warnings
+
+--echo #-----------------------------------------------------------------------

mysql-test/suite/auth_sec/t/secure_file_priv_warnings-master.opt

+--secure-file-priv=""

mysql-test/suite/auth_sec/t/secure_file_priv_warnings.test

+--source include/no_valgrind_without_big.inc
+--source include/not_embedded.inc
+
+--echo #-----------------------------------------------------------------------
+--echo # Setup
+let server_log= $MYSQLTEST_VARDIR/log/mysqld.1.err;
+let SEARCH_FILE= $server_log;
+let $restart_file= $MYSQLTEST_VARDIR/tmp/mysqld.1.expect;
+let PLUGIN_DIR= $MYSQLTEST_VARDIR/tmp;
+--echo #-----------------------------------------------------------------------
+
+--echo # Search for : Insecure configuration for --secure-file-priv: Current
+--echo #              value does not restrict location of generated files.
+--echo #              Consider setting it to a valid, non-empty path.
+let SEARCH_PATTERN= Insecure configuration for --secure-file-priv: Current value does not restrict location of generated files. Consider setting it to a valid, non-empty path.;
+--source include/search_pattern_in_file.inc
+
+# Must show empty string
+SHOW VARIABLES LIKE 'secure_file_priv';
+
+--echo #-----------------------------------------------------------------------
+
+let $restart_file= $MYSQLTEST_VARDIR/tmp/mysqld.1.expect;
+--exec echo "wait" > $restart_file
+--shutdown_server
+--source include/wait_until_disconnected.inc
+--remove_file $server_log
+--exec echo "restart:--plugin-dir=$PLUGIN_DIR --secure-file-priv=$PLUGIN_DIR" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
+--enable_reconnect
+--source include/wait_until_connected_again.inc
+--disable_reconnect
+--echo # Restart completed.
+
+--echo # Search for : Insecure configuration for --secure-file-priv: Plugin
+--echo #              directory is accessible through --secure-file-priv.
+--echo #              Consider choosing a different directory.
+let SEARCH_PATTERN= Insecure configuration for --secure-file-priv: Plugin directory is accessible through --secure-file-priv. Consider choosing a different directory.;
+--source include/search_pattern_in_file.inc
+
+--echo #-----------------------------------------------------------------------
+
+--echo # Clean-up
+--disable_warnings
+--source include/force_restart.inc
+--enable_warnings
+
+--echo #-----------------------------------------------------------------------

mysql-test/suite/auth_sec/t/secure_file_priv_warnings_not_win.test

+--source include/no_valgrind_without_big.inc
+--source include/not_windows.inc
+--source include/not_embedded.inc
+
+let server_log= $MYSQLTEST_VARDIR/log/mysqld.1.err;
+let SEARCH_FILE= $server_log;
+
+--echo #-----------------------------------------------------------------------
+
+--echo # Search for : Insecure configuration for --secure-file-priv: Data
+--echo #              directory is accessible through --secure-file-priv.
+--echo #              Consider choosing a different directory.
+let SEARCH_PATTERN= Insecure configuration for --secure-file-priv: Data directory is accessible through --secure-file-priv. Consider choosing a different directory.;
+--source include/search_pattern_in_file.inc
+
+--echo #-----------------------------------------------------------------------
+
+--echo # Search for : Insecure configuration for --secure-file-priv: Location
+--echo #              is accessible to all OS users. Consider choosing a
+--echo #              different directory.
+let SEARCH_PATTERN= Insecure configuration for --secure-file-priv: Location is accessible to all OS users. Consider choosing a different directory.;
+--source include/search_pattern_in_file.inc
+
+--echo #-----------------------------------------------------------------------

mysql-test/suite/auth_sec/t/secure_file_priv_warnings_win.test

+--source include/no_valgrind_without_big.inc
+--source include/windows.inc
+--source include/not_embedded.inc
+
+let server_log= $MYSQLTEST_VARDIR/log/mysqld.1.err;
+let SEARCH_FILE= $server_log;
+
+--echo #-----------------------------------------------------------------------
+
+--echo # Test 2 : Restarting mysqld with :
+--echo #          --secure-file-priv=MYSQLTEST_VARDIR/mysqld.1/Data
+
+let $restart_file= $MYSQLTEST_VARDIR/tmp/mysqld.1.expect;
+--exec echo "wait" > $restart_file
+--shutdown_server
+--source include/wait_until_disconnected.inc
+--error 0,1
+--remove_file $server_log
+--exec echo "restart: --secure-file-priv=$MYSQLTEST_VARDIR/mysqld.1/Data" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
+--enable_reconnect
+--source include/wait_until_connected_again.inc
+--disable_reconnect
+--echo # Restart completed.
+
+--echo # Search for : Insecure configuration for --secure-file-priv: Data
+--echo #              directory is accessible through --secure-file-priv.
+--echo #              Consider choosing a different directory.
+let SEARCH_PATTERN= Insecure configuration for --secure-file-priv: Data directory is accessible through --secure-file-priv. Consider choosing a different directory.;
+--source include/search_pattern_in_file.inc
+
+--disable_warnings
+--source include/force_restart.inc
+--enable_warnings
+
+--echo #-----------------------------------------------------------------------

packaging/rpm-oel/mysql-systemd-start

@@ -30,6 +30,12 @@ install_db () {
     if [ -x /usr/sbin/restorecon ]; then
         /usr/sbin/restorecon "$datadir"
         /usr/sbin/restorecon $log
+        for dir in /var/lib/mysql-files ; do
+            if [ -x /usr/sbin/semanage -a -d /var/lib/mysql -a -d $dir ] ; then
+		/usr/sbin/semanage fcontext -a -e /var/lib/mysql $dir >/dev/null 2>&1
+		/sbin/restorecon $dir
+	    fi
+	done
     fi
 
     # If special mysql dir is in place, skip db install 

packaging/rpm-oel/mysql.init

@@ -82,7 +82,15 @@ start(){
 	    fi
 	    chown mysql:mysql "$datadir"
 	    chmod 0755 "$datadir"
-	    [ -x /sbin/restorecon ] && /sbin/restorecon "$datadir"
+	    if [ -x /sbin/restorecon ]; then
+		/sbin/restorecon "$datadir"
+		for dir in /var/lib/mysql-files ; do
+		    if [ -x /usr/sbin/semanage -a -d /var/lib/mysql -a -d $dir ] ; then
+			/usr/sbin/semanage fcontext -a -e /var/lib/mysql $dir >/dev/null 2>&1
+			/sbin/restorecon $dir
+		    fi
+		done
+	    fi
 	    # Now create the database
 	    action $"Initializing MySQL database: " /usr/bin/mysql_install_db --rpm --datadir="$datadir" --user=mysql
 	    ret=$?

packaging/rpm-oel/mysql.spec.in

@@ -560,6 +560,7 @@ MBD=$RPM_BUILD_DIR/%{src_dir}
 install -d -m 0755 %{buildroot}%{_datadir}/mysql/SELinux/RHEL4
 install -d -m 0755 %{buildroot}/var/lib/mysql
 install -d -m 0755 %{buildroot}/var/run/mysqld
+install -d -m 0750 %{buildroot}/var/lib/mysql-files
 
 # Install all binaries
 cd $MBD/release
@@ -790,6 +791,7 @@ fi
 %attr(644, root, root) %config(noreplace,missingok) %{_sysconfdir}/logrotate.d/mysql
 %dir %attr(755, mysql, mysql) /var/lib/mysql
 %dir %attr(755, mysql, mysql) /var/run/mysqld
+%dir %attr(750, mysql, mysql) /var/lib/mysql-files
 
 %files common
 %defattr(-, root, root, -)
@@ -916,6 +918,9 @@ fi
 %endif
 
 %changelog
+* Mon Sep 26 2016 Balasubramanian Kandasamy <balasubramanian.kandasamy@oracle.com> - 5.5.53-1
+- Include mysql-files directory
+
 * Tue Jul 05 2016 Balasubramanian Kandasamy <balasubramanian.kandasamy@oracle.com> - 5.5.51-1
 - Remove mysql_config from client subpackage
 

packaging/rpm-sles/mysql.spec.in

@@ -425,6 +425,7 @@ MBD=$RPM_BUILD_DIR/%{src_dir}
 install -d -m 0755 %{buildroot}/var/lib/mysql
 install -d -m 0755 %{buildroot}/var/run/mysql
 install -d -m 0750 %{buildroot}/var/log/mysql
+install -d -m 0750 %{buildroot}/var/lib/mysql-files
 
 # Install all binaries
 cd $MBD/release
@@ -638,6 +639,7 @@ fi
 %dir %attr(755, mysql, mysql) /var/lib/mysql
 %dir %attr(755, mysql, mysql) /var/run/mysql
 %dir %attr(750, mysql, mysql) /var/log/mysql
+%dir %attr(750, mysql, mysql) /var/lib/mysql-files
 
 %files common
 %defattr(-, root, root, -)
@@ -783,6 +785,9 @@ fi
 %attr(755, root, root) %{_libdir}/mysql/libmysqld.so
 
 %changelog
+* Mon Sep 26 2016 Balasubramanian Kandasamy <balasubramanian.kandasamy@oracle.com> - 5.5.53-1
+- Include mysql-files directory
+
 * Tue Sep 29 2015 Balasubramanian Kandasamy <balasubramanian.kandasamy@oracle.com> - 5.5.47-1
 - Added conflicts to mysql-connector-c-shared dependencies
 

packaging/solaris/postinstall-solaris.sh

 #!/bin/sh
 #
-# Copyright (c) 2008, 2013, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2008, 2016, Oracle and/or its affiliates. All rights reserved.
 # 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -26,6 +26,7 @@ mygroup=mysql
 myuser=mysql
 mydatadir=/var/lib/mysql
 basedir=@@basedir@@
+mysecurefiledir=/var/lib/mysql-files
 
 if [ -n "$BASEDIR" ] ; then
   basedir="$BASEDIR"
@@ -58,6 +59,11 @@ fi
 
 chown -R $myuser:$mygroup $mydatadir
 
+# Create securefile directory
+[ -d "$mysecurefiledir"  ] || mkdir -p -m 770 "$mysecurefiledir"      || exit 1
+chown -R $myuser:$mygroup $mysecurefiledir
+
+
 # Solaris patch 119255 (somewhere around revision 42) changes the behaviour
 # of pkgadd to set TMPDIR internally to a root-owned install directory.  This
 # has the unfortunate side effect of breaking running mysql_install_db with

sql/mysqld.cc

@@ -570,6 +570,7 @@ uint mysql_real_data_home_len, mysql_data_home_len= 1;
 uint reg_ext_length;
 const key_map key_map_empty(0);
 key_map key_map_full(0);                        // Will be initialized later
+char secure_file_real_path[FN_REFLEN];
 
 DATE_TIME_FORMAT global_date_format, global_datetime_format, global_time_format;
 Time_zone *default_tz;
@@ -7613,9 +7614,9 @@ bool is_secure_file_path(char *path)
   char buff1[FN_REFLEN], buff2[FN_REFLEN];
   size_t opt_secure_file_priv_len;
   /*
-    All paths are secure if opt_secure_file_path is 0
+    All paths are secure if opt_secure_file_priv is 0
   */
-  if (!opt_secure_file_priv)
+  if (!opt_secure_file_priv[0])
     return TRUE;
 
   opt_secure_file_priv_len= strlen(opt_secure_file_priv);
@@ -7623,6 +7624,9 @@ bool is_secure_file_path(char *path)
   if (strlen(path) >= FN_REFLEN)
     return FALSE;
 
+  if (!my_strcasecmp(system_charset_info, opt_secure_file_priv, "NULL"))
+    return FALSE;
+
   if (my_realpath(buff1, path, 0))
   {
     /*
@@ -7655,9 +7659,184 @@ bool is_secure_file_path(char *path)
 }
 
 
+/**
+  check_secure_file_priv_path : Checks path specified through
+  --secure-file-priv and raises warning in following cases:
+  1. If path is empty string or NULL and mysqld is not running
+     with --bootstrap mode.
+  2. If path can access data directory
+  3. If path points to a directory which is accessible by
+     all OS users (non-Windows build only)
+
+  It throws error in following cases:
+
+  1. If path normalization fails
+  2. If it can not get stats of the directory
+
+  @params NONE
+
+  Assumptions :
+  1. Data directory path has been normalized
+  2. opt_secure_file_priv has been normalized unless it is set
+     to "NULL".
+
+  @returns Status of validation
+    @retval true : Validation is successful with/without warnings
+    @retval false : Validation failed. Error is raised.
+*/
+
+bool check_secure_file_priv_path()
+{
+  char datadir_buffer[FN_REFLEN+1]={0};
+  char plugindir_buffer[FN_REFLEN+1]={0};
+  char whichdir[20]= {0};
+  size_t opt_plugindir_len= 0;
+  size_t opt_datadir_len= 0;
+  size_t opt_secure_file_priv_len= 0;
+  bool warn= false;
+  bool case_insensitive_fs;
+#ifndef _WIN32
+  MY_STAT dir_stat;
+#endif
+
+  if (!opt_secure_file_priv[0])
+  {
+    if (opt_bootstrap)
+    {
+      /*
+        Do not impose --secure-file-priv restriction
+        in --bootstrap mode
+      */
+      sql_print_information("Ignoring --secure-file-priv value as server is "
+                            "running with --bootstrap.");
+    }
+    else
+    {
+      sql_print_warning("Insecure configuration for --secure-file-priv: "
+                        "Current value does not restrict location of generated "
+                        "files. Consider setting it to a valid, "
+                        "non-empty path.");
+    }
+    return true;
+  }
+
+  /*
+    Setting --secure-file-priv to NULL would disable
+    reading/writing from/to file
+  */
+  if(!my_strcasecmp(system_charset_info, opt_secure_file_priv, "NULL"))
+  {
+    sql_print_information("--secure-file-priv is set to NULL. "
+                          "Operations related to importing and exporting "
+                          "data are disabled");
+    return true;
+  }
+
+  /*
+    Check if --secure-file-priv can access data directory
+  */
+  opt_secure_file_priv_len= strlen(opt_secure_file_priv);
+
+  /*
+    Adds dir seperator at the end.
+    This is required in subsequent comparison
+  */
+  convert_dirname(datadir_buffer, mysql_unpacked_real_data_home, NullS);
+  opt_datadir_len= strlen(datadir_buffer);
+
+  case_insensitive_fs=
+    (test_if_case_insensitive(datadir_buffer) == 1);
+
+  if (!case_insensitive_fs)
+  {
+    if (!strncmp(datadir_buffer, opt_secure_file_priv,
+          opt_datadir_len < opt_secure_file_priv_len ?
+          opt_datadir_len : opt_secure_file_priv_len))
+    {
+      warn= true;
+      strcpy(whichdir, "Data directory");
+    }
+  }
+  else
+  {
+    if (!files_charset_info->coll->strnncoll(files_charset_info,
+          (uchar *) datadir_buffer,
+          opt_datadir_len,
+          (uchar *) opt_secure_file_priv,
+          opt_secure_file_priv_len,
+          TRUE))
+    {
+      warn= true;
+      strcpy(whichdir, "Data directory");
+    }
+  }
+
+  /*
+    Don't bother comparing --secure-file-priv with --plugin-dir
+    if we already have a match against --datadir or
+    --plugin-dir is not pointing to a valid directory.
+  */
+  if (!warn && !my_realpath(plugindir_buffer, opt_plugin_dir, 0))
+  {
+    convert_dirname(plugindir_buffer, plugindir_buffer, NullS);
+    opt_plugindir_len= strlen(plugindir_buffer);
+
+    if (!case_insensitive_fs)
+    {
+      if (!strncmp(plugindir_buffer, opt_secure_file_priv,
+          opt_plugindir_len < opt_secure_file_priv_len ?
+          opt_plugindir_len : opt_secure_file_priv_len))
+      {
+        warn= true;
+        strcpy(whichdir, "Plugin directory");
+      }
+    }
+    else
+    {
+      if (!files_charset_info->coll->strnncoll(files_charset_info,
+          (uchar *) plugindir_buffer,
+          opt_plugindir_len,
+          (uchar *) opt_secure_file_priv,
+          opt_secure_file_priv_len,
+          TRUE))
+      {
+        warn= true;
+        strcpy(whichdir, "Plugin directory");
+      }
+    }
+  }
+
+
+  if (warn)
+    sql_print_warning("Insecure configuration for --secure-file-priv: "
+                      "%s is accessible through "
+                      "--secure-file-priv. Consider choosing a different "
+                      "directory.", whichdir);
+
+#ifndef _WIN32
+  /*
+     Check for --secure-file-priv directory's permission
+  */
+  if (!(my_stat(opt_secure_file_priv, &dir_stat, MYF(0))))
+  {
+    sql_print_error("Failed to get stat for directory pointed out "
+                    "by --secure-file-priv");
+    return false;
+  }
+
+  if (dir_stat.st_mode & S_IRWXO)
+    sql_print_warning("Insecure configuration for --secure-file-priv: "
+                      "Location is accessible to all OS users. "
+                      "Consider choosing a different directory.");
+#endif
+  return true;
+}
+
+
 static int fix_paths(void)
 {
   char buff[FN_REFLEN],*pos;
+  bool secure_file_priv_nonempty= false;
   convert_dirname(mysql_home,mysql_home,NullS);
   /* Resolve symlinks to allow 'mysql_home' to be a relative symlink */
   my_realpath(mysql_home,mysql_home,MYF(0));
@@ -7715,28 +7894,55 @@ static int fix_paths(void)
     Convert the secure-file-priv option to system format, allowing
     a quick strcmp to check if read or write is in an allowed dir
    */
-  if (opt_secure_file_priv)
+  if (opt_bootstrap)
+    opt_secure_file_priv= EMPTY_STR.str;
+  secure_file_priv_nonempty= opt_secure_file_priv[0] ? true : false;
+
+  if (secure_file_priv_nonempty && strlen(opt_secure_file_priv) > FN_REFLEN)
   {
-    if (*opt_secure_file_priv == 0)
+    sql_print_warning("Value for --secure-file-priv is longer than maximum "
+                      "limit of %d", FN_REFLEN-1);
+    return 1;
+  }
+
+  memset(buff, 0, sizeof(buff));
+  if (secure_file_priv_nonempty &&
+      my_strcasecmp(system_charset_info, opt_secure_file_priv, "NULL"))
+  {
+    int retval= my_realpath(buff, opt_secure_file_priv, MYF(MY_WME));
+    if (!retval)
+    {
+      convert_dirname(secure_file_real_path, buff, NullS);
+#ifdef WIN32
+      MY_DIR *dir= my_dir(secure_file_real_path, MYF(MY_DONT_SORT+MY_WME));
+      if (!dir)
       {
-      my_free(opt_secure_file_priv);
-      opt_secure_file_priv= 0;
+        retval= 1;
       }
       else
       {
-      if (strlen(opt_secure_file_priv) >= FN_REFLEN)
-        opt_secure_file_priv[FN_REFLEN-1]= '\0';
-      if (my_realpath(buff, opt_secure_file_priv, 0))
+        my_dirend(dir);
+      }
+#endif
+    }
+
+    if (retval)
     {
-        sql_print_warning("Failed to normalize the argument for --secure-file-priv.");
+      char err_buffer[FN_REFLEN];
+      my_snprintf(err_buffer, FN_REFLEN-1,
+                  "Failed to access directory for --secure-file-priv."
+                  " Please make sure that directory exists and is "
+                  "accessible by MySQL Server. Supplied value : %s",
+                  opt_secure_file_priv);
+      err_buffer[FN_REFLEN-1]='\0';
+      sql_print_error("%s", err_buffer);
       return 1;
     }
-      char *secure_file_real_path= (char *)my_malloc(FN_REFLEN, MYF(MY_FAE));
-      convert_dirname(secure_file_real_path, buff, NullS);
-      my_free(opt_secure_file_priv);
     opt_secure_file_priv= secure_file_real_path;
   }
-  }
+
+  if (!check_secure_file_priv_path())
+    return 1;
 
   return 0;
 }

sql/sql_class.cc

@@ -68,6 +68,8 @@
 char internal_table_name[2]= "*";
 char empty_c_string[1]= {0};    /* used for not defined db */
 
+LEX_STRING EMPTY_STR= { (char *) "", 0 };
+
 const char * const THD::DEFAULT_WHERE= "field list";
 
 

sql/sql_class.h

@@ -105,6 +105,7 @@ enum enum_filetype { FILETYPE_CSV, FILETYPE_XML };
 
 extern char internal_table_name[2];
 extern char empty_c_string[1];
+extern LEX_STRING EMPTY_STR;
 extern MYSQL_PLUGIN_IMPORT const char **errmesg;
 
 extern bool volatile shutdown_in_progress;

sql/sys_vars.cc

@@ -1941,8 +1941,12 @@ static Sys_var_charptr Sys_secure_file_priv(
        "secure_file_priv",
        "Limit LOAD DATA, SELECT ... OUTFILE, and LOAD_FILE() to files "
        "within specified directory",
-       PREALLOCATED READ_ONLY GLOBAL_VAR(opt_secure_file_priv),
-       CMD_LINE(REQUIRED_ARG), IN_FS_CHARSET, DEFAULT(0));
+       READ_ONLY GLOBAL_VAR(opt_secure_file_priv),
+#ifndef EMBEDDED_LIBRARY
+       CMD_LINE(REQUIRED_ARG), IN_FS_CHARSET, DEFAULT(DEFAULT_SECURE_FILE_PRIV_DIR));
+#else
+       CMD_LINE(REQUIRED_ARG), IN_FS_CHARSET, DEFAULT(DEFAULT_SECURE_FILE_PRIV_EMBEDDED_DIR));
+#endif
 
 static bool fix_server_id(sys_var *self, THD *thd, enum_var_type type)
 {

support-files/mysql.spec.sh

-# Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -562,6 +562,7 @@ install -d $RBR%{_includedir}
 install -d $RBR%{_libdir}
 install -d $RBR%{_mandir}
 install -d $RBR%{_sbindir}
+install -d $RBR/var/lib/mysql-files
 
 mkdir -p $RBR%{_sysconfdir}/my.cnf.d
 
@@ -1141,6 +1142,7 @@ echo "====="                                     >> $STATUS_HISTORY
 %attr(755, root, root) %{_sysconfdir}/init.d/mysql
 
 %attr(755, root, root) %{_datadir}/mysql/
+%dir %attr(750, mysql, mysql) /var/lib/mysql-files
 
 # ----------------------------------------------------------------------------
 %files -n MySQL-client%{product_suffix}
@@ -1226,6 +1228,9 @@ echo "====="                                     >> $STATUS_HISTORY
 # merging BK trees)
 ##############################################################################
 %changelog
+* Mon Sep 26 2016 Balasubramanian Kandasamy <balasubramanian.kandasamy@oracle.com>
+- Include mysql-files directory
+
 * Wed Jul 02 2014 Bjorn Munch <bjorn.munch@oracle.com>
 - Disable dtrace unconditionally, breaks after we install Oracle dtrace