[debian-mysql] mysql-5.7: secure_file_priv

[Norvald H. Ryeng]

Hi Björn,

On Tue, 29 Dec 2015 12:22:08 +0100, Bjoern Boschman <bjoern at boschman.de>
wrote:

> Hi folks,
>
> I've started working on a mysql-5.7 branch [0].
>
> While doing so I had to phase the following difference between 5.6<->5.7
>
> secure_file_priv [1]
>
> mysql-5.6 default for this setting was 'empty'  which simply disables  
> this
> feature.
> mysql-5.7 builds with (what we currently do) '/var/lib/mysql-files' which
> is based on the used INSTALL_LAYOUT=RPM [2]
> my question is now: how shall I handle this?
> I would not like to add  secure_file_priv= within mysqld.cnf as this  
> would
> deactivate this feature for customers who want to use this on purpose.

I think you may have misunderstood the manual. If set to empty, the server
can read from/write to any directory. If set to NULL, import and export is
disabled. Anything else restricts it to that directory.

It's a good idea to restrict reading and writing, so I think it should be
on by default.

The default location is a result of discussions with maintainers in
Debian, Ubuntu, Fedora/Red Hat and openSUSE/SUSE over a year ago, so I
suggest we keep it as is and create the directory.

> I'm thinking of switching INSTALL_LAYOUT=STANDALONE as this seems to be  
> the
> only usage of this cmake flag.
>
> @Oracle employees: can you confirm that this has no other impact?

I suggest you don't change INSTALL_LAYOUT, but instead use the
-DINSTALL_SECURE_FILE_PRIVDIR=dirname CMake option [1] if you want to
change this value. That will leave all the other options alone.

But as I said, I'd prefer to keep the default value.

Regards,

Norvald H. Ryeng

[1]  
https://dev.mysql.com/doc/refman/5.7/en/source-configuration-options.html#option_cmake_install_secure_file_privdir