[debian-mysql] Bug#736087: Bug#736087: Bug#736087: mysql-5.5: Please install AppArmor profile on Debian too

Kristian Nielsen knielsen at knielsen-hq.org
Tue Jan 21 20:57:15 UTC 2014

Clint Byrum <spamaps at debian.org> writes:

> The next time MySQL has an exploit allowing one to write arbitrary
> files, the users who have contained their mysqld's with AppArmor will
> not be annoyed.

Which files are writable by user `mysql', but not by /usr/sbin/mysqld?

But agree, certainly it will be possible to think of potential attack vectors
that could be prevented, at least theoretically.

> This is a constant source of confusion caused by Debian's choice to
> be a fully-automatic fully-integrated system. Sometimes users just want
> binaries. The leaf packages for services like mysql tend to over-reach and
> do a mediocre job, but they're liked by many who just want something easy.

Still, it would be nice if the test suite (as packaged in mysql-testsuite-5.5)
could be run without having to disable apparmor first...

 - Kristian.

More information about the pkg-mysql-maint mailing list