[debian-mysql] Bug#752593: mysql-server-5.5: should not test if root is writable

Russell Coker russell at coker.com.au
Wed Jun 25 01:42:53 UTC 2014 

Package: mysql-server-5.5
Version: 5.5.37-1
Severity: normal
Tags: patch

For some reason mysqld_safe tests if the root directory is writable.  I can't
work out why this is and in any case it's reundant as the other test (for USER
being root) passes in the normal Debian configuration.

type=AVC msg=audit(1403622580.061:96): avc:  denied  { write } for  pid=1331 comm="mysqld_safe" name="/" dev="dm-0" ino=256 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir
type=SYSCALL msg=audit(1403622580.061:96): arch=c000003e syscall=269 success=yes exit=0 a0=ffffffffffffff9c a1=7f5e09bfe798 a2=2 a3=2 items=0 ppid=1109 pid=1331 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mysqld_safe" exe="/bin/dash" subj=system_u:system_r:mysqld_safe_t:s0 key=(null)

On a SE Linux system the above messages are logged every time mysqld is
started.  I could put in a dontaudit rule for that but I prefer not to do that
because if mysqld_safe tries any other form of writing to the root directory
then it would be a bug that we should know about (and prevent).

The following patch makes no change to the functionality of mysqld startup on
a default Debian configuration while avoiding this problem.

It's probably worth considering whether the test even makes sense, but if it
does make sense then it's best to have it after the UID test.

--- mysqld_safe.orig    2014-06-25 11:37:02.394406559 +1000
+++ mysqld_safe 2014-06-25 11:37:24.442599244 +1000
@@ -585,7 +585,7 @@
 fi
 
 USER_OPTION=""
-if test -w / -o "$USER" = "root"
+if "$USER" = "root" -o test -w /
 then
   if test "$user" != "root" -o $SET_USER = 1
   then

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages mysql-server-5.5 depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.53
ii  initscripts            2.88dsf-53.2
ii  libc6                  2.19-4
ii  libdbi-perl            1.631-3
ii  libgcc1                1:4.9.0-7
ii  libstdc++6             4.9.0-7
ii  lsb-base               4.1+Debian13
ii  mysql-client-5.5       5.5.37-1
ii  mysql-common           5.5.37-1
ii  mysql-server-core-5.5  5.5.37-1
ii  passwd                 1:4.2-2
ii  perl                   5.18.2-4
ii  psmisc                 22.21-2
ii  zlib1g                 1:1.2.8.dfsg-1

Versions of packages mysql-server-5.5 recommends:
pn  libhtml-template-perl  <none>

Versions of packages mysql-server-5.5 suggests:
ii  bsd-mailx [mailx]  8.1.2-0.20131005cvs-1
pn  tinyca             <none>

-- debconf information:
  mysql-server/root_password_again: (password omitted)
  mysql-server/root_password: (password omitted)
  mysql-server/no_upgrade_when_using_ndb:
  mysql-server/error_setting_password:
  mysql-server/password_mismatch:
  mysql-server-5.5/postrm_remove_databases: false
  mysql-server-5.5/start_on_boot: true
  mysql-server-5.5/nis_warning:
  mysql-server-5.5/really_downgrade: false

More information about the pkg-mysql-maint mailing list