[debian-mysql] Bug#664639: mysqld_safer user

Nicholas Bamber nicholas at periapt.co.uk
Tue Jun 19 13:28:21 UTC 2012


I just wanted to preserve this discussion for reference:

(12:05:09) jes-o-mat: periapt: btw - do you know a reason why
mysqld_safe is running as root?
(12:07:05) periapt: jes-o-mat: No, that seems like a fair question to me.
(12:28:25) ryeng: mysqld_safe is supposed to chown the error log
(12:29:02) ryeng: Lines 560-576
(12:37:03) jes-o-mat: periapt:
http://boschman.de/~jesusch/debian/mysql/664639-mysql-server.init.diff.txt
(12:37:15) jes-o-mat: seems to be working pretty well?
(12:39:23) ryeng: jes-o-mat: Does it also work if you start mysqld_safe
with --user=${user}?
(12:40:02) ryeng: I'm not sure if mysqld_safe needs to run as root.
(12:40:46) jes-o-mat: ryeng: I'd vote for starting mysqld_safe as user
mysql as far as it seems that there is no reason to run it as root
(12:42:52) jes-o-mat: ryeng: http://paste.debian.net/175256/
(12:43:04) ryeng: jes-o-mat: I agree. I found this, explaining the
reason it allows user switching:
https://blogs.oracle.com/bobn/entry/securing_mysql_using_smf_the
(12:43:43) ryeng: Running it as the mysql user seems like a good idea
(12:44:04) ryeng: «The answer to the first question is simple: it can be
run as a regular user. It only runs as root out of convenience to
operating systems that don't have as sophisticated a security framework
as Solaris.»
(12:44:21) jes-o-mat: seems like --user is not taken into account
(12:49:22) jes-o-mat: btw - I've retitled and reassigned the bugreport.
why did this not happen?
(12:49:52) jes-o-mat: do I need to CC control at bugs.d.o?
(12:51:35) periapt: jes-o-mat: YEs.
http://www.debian.org/Bugs/server-control
(12:52:32) periapt: jes-o-mat: Actually "Bcc"  is better. It stops
people sending nonsense to the control server.
(13:19:36) jes-o-mat: periapt: Revision 2162 should do the trick
(13:21:30) periapt: jes-o-mat: Thanks. I'll give it a whirl.
(13:37:25) jes-o-mat: periapt: damn - we might have an issue...
mysqld_safe in some cases set's custom ulimits.. which afaik is only
possible as root?
(13:50:36) periapt: maybe: "An unprivileged process may only set its
soft limit to a value in the range from 0 up to the hard limit, and
(irreversibly) lower its hard limit. A privileged process may make
arbitrary changes to either limit value."
(13:51:07) periapt: jes-o-mat: I am just glad you made the change in
experimental. :)





More information about the pkg-mysql-maint mailing list