Restricting Local File System Access

SingleStore provides two engine variables that control how SQL statements interact with the server's local file system.

local_file_system_access_restricted

The local_file_system_access_restricted engine variable controls whether SQL statements can read from or write to the local file system on the server.

Property

Value

Default

OFF

Scope

Global

Dynamic

Yes

When set to ON, the following operations are blocked:

  • SELECT ... INTO OUTFILE

  • SELECT ... INTO FS

  • LOAD DATA ... INFILE (without LOCAL)

  • CREATE PIPELINE ... LOAD DATA FS

By default, this engine variable is set to OFF, which allows any user with the appropriate privileges (FILE READ or FILE WRITE) to access files anywhere on the server's file system unless access is further restricted by secure_file_priv.

Note

SingleStore recommends setting this engine variable to ON unless local file system access is explicitly required. The variable defaults to OFF for backward compatibility with existing deployments that rely on local file import and export workflows. In this mode, any user with FILE READ or FILE WRITE privileges can access files anywhere on the server's file system unless further restricted by the secure_file_priv engine variable.

To persist across restarts, add the following to the engine configuration file (memsql.cnf) on every node:

[server]
local_file_system_access_restricted = ON

secure_file_priv

If your workload requires local file system access and you cannot disable local_file_system_access_restricted, set secure_file_priv to restrict file operations to a specific directory.

The secure_file_priv engine variable limits the directories from which LOAD DATA can read and to which SELECT ... INTO OUTFILE can write.

Property

Value

Default

NULL (unrestricted)

Scope

Global

Dynamic

Yes

When secure_file_priv is set to NULL (default value), a user with the FILE WRITE privilege can write files to any location on the server's file system accessible to the memsqld process. This includes overwriting configuration files or writing to sensitive directories.

When set to a directory path, users with FILE READ or FILE WRITE privileges can only access files within that directory or its subdirectories.

Use the following command to set the engine variable:

SET GLOBAL secure_file_priv = '/var/lib/memsql/data/export';

To persist across restarts, add the following to the engine configuration file (memsql.cnf) on every node:

[server]
secure_file_priv = /var/lib/memsql/data/export

Ensure the directory exists and has appropriate permissions before setting this variable.

Best Practices

Apply one of the following configurations for different scenarios:

Scenario

Recommended Configuration

Behavior

Local file I/O needed, unrestricted

local_file_system_access_restricted = OFF (default) and secure_file_priv = NULL (default)

File I/O is allowed anywhere on the server's file system accessible to the memsqld process.

Local file I/O needed, restricted to a specific directory

local_file_system_access_restricted = OFF (default) and secure_file_priv = path/to/dir

File I/O is allowed only within the specified directory and its subdirectories.

No local file I/O needed

local_file_system_access_restricted = ON and secure_file_priv = <any value>

All local file system access is blocked. local_file_system_access_restricted takes precedence and secure_file_priv is not evaluated.

Last modified:

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined
  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined
  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
    cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
    --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
    --bundle undefined \
    --new-bundle-format -
    Verified OK

Try Out This Notebook to See What’s Possible in SingleStore

Get access to other groundbreaking datasets and engage with our community for expert advice.