maria-discuss team mailing list archive

[Reindl Harald <h.reindl@xxxxxxxxxxxxx>]

Am 12.09.2016 um 23:58 schrieb Reinis Rozitis:
> > a service itself *must not* have the permissions to write it's config
> > files
>
> The safeguard script also reads configuration files from MySQLs data
> directory which is writable by the service

[root@srv-rhsoft:~]$ cat /etc/passwd | grep mysql
mysql:x:27:27:MySQL Server:/dev/null:/usr/sbin/nologin

"mysqld_safe" is deleted from packages for 5 years here

> Though the author also cowers cases of bad configuration and possible
> victims.
>
> > "Root-Code-Execution" is clickbait
>
> Since when a CVE is a clickbait ..

the "Root-Code-Execution" part is

maybe someone consideres throw away "mysqld_safe" and stops starting it 
as root anyways since for high ports root permissions where *never* needed
__________________________________

* this below does the same as "mysqld_safe" way cleaner
* it restarts mysqld if it crashs
* it don't contain obscure shell scripts
* systemd don't need pid-files for tracking type=simple
* "mysqld-wait-ready" makes sure depedning service are
  started after the dameon is fully opertional
* no bit of mysql is running as root
__________________________________

[Service]
Type=simple
User=mysql
Group=mysql
ExecStart=/usr/libexec/mysqld --defaults-file=/etc/my.cnf 
--pid-file=/dev/null
ExecStartPost=/usr/libexec/mysqld-wait-ready $MAINPID
Environment="LANG=en_GB.UTF-8"
Restart=always
RestartSec=1
__________________________________

[root@srv-rhsoft:~]$ cat /usr/libexec/mysqld-wait-ready
#!/usr/bin/bash

# Service file passes us the daemon's PID
daemon_pid="$1"

# Wait for the server to come up or for the mysqld process to disappear
ret=0
while /usr/bin/true; do
 RESPONSE=`/usr/bin/mysqladmin --defaults-file=/etc/my.cnf 
--socket=/var/lib/mysql/mysql.sock --user=UNKNOWN_MYSQL_USER ping 2>&1`
 mret=$?
 if [ $mret -eq 0 ]; then
  break
 fi
 # exit codes 1, 11 (EXIT_CANNOT_CONNECT_TO_SERVICE) are expected,
 # anything else suggests a configuration error
 if [ $mret -ne 1 -a $mret -ne 11 ]; then
  ret=1
  break
 fi
 # "Access denied" also means the server is alive
 echo "$RESPONSE" | grep -q "Access denied for user" && break

 # Check process still exists
 if ! /usr/bin/kill -0 $daemon_pid 2>/dev/null; then
  ret=1
  break
 fi
 usleep 100000
done

exit $ret