[debian-mysql] Bug#843618: Bug#843618: mysql-server-5.5: Fails to start after recent security update

Thomas Braun thomas at akwgegner.de
Tue Nov 8 12:30:33 UTC 2016 

> Lars Tangvald <lars.tangvald at oracle.com> hat am 8. November 2016 um 12:28
> geschrieben:

Hi Lars,

thanks for the quick reply.

> It's probably something with your setup the upgrade logic can't handle 
> correctly.
> In 5.5.53, MySQL changes the inbuilt secure-file-priv (determined where 
> the server can read/write data for import/export operations) default 
> setting from blank, meaning the server has read/write access anywhere, 
> to /var/lib/mysql-files, which should be automatically created by the 
> postinst. This is a fairly big change, but it was felt the old behavior 
> was a big enough security risk to justify it.
> Do you have a special setup (partition, symlink, etc) for your /var/lib 
> folders, so the default directory might not be possible to create/access?
> 
> Finally, setting secure-file-priv to your datadir is very strongly 
> recommended against, as it pretty much gives any database user full 
> database access.
> We recommend either setting it to a separate location, or to NULL (only 
> available in 5.5.53+), which will disable import/export operations for 
> the server.

I've investigated and indeed /var/lib/mysql-files did not exist.

The reason was that another third-party (gitlab-ee) package depending on the
mysql-server package broke the apt-get upgrade, 
leaving mysql-server's postinst script not executed. 

I've reinstalled the mysql-server package, removed my hack and now it works
again.

Thanks again, especially about mentioning the security implications about my
hack, 
Thomas

> On 11/08/2016 11:58 AM, Thomas Braun wrote:
> > Package: mysql-server-5.5
> > Version: 5.5.53-0+deb8u1
> > Severity: important
> >
> > Dear Maintainer,
> >
> > after tonights security update my mysql server does not start anymore.
> >
> > Looking in /var/log/mysql/error.log gives:
> > 161108 11:18:02 mysqld_safe Starting mysqld daemon with databases from
> > /var/lib/mysql
> > 161108 11:18:02 [Warning] Using unique option prefix key_buffer instead of
> > key_buffer_size is deprecated and will be removed in a future release.
> > Please
> > use the full name instead.
> > /usr/sbin/mysqld: Error on realpath() on '/var/lib/mysql-files' (Error 2)
> > 161108 11:18:02 [ERROR] Failed to access directory for --secure-file-priv.
> > Please make sure that directory exists and is accessible by MySQL Server.
> > Supplied value : /var/lib/mysql-files
> > 161108 11:18:02 [ERROR] Aborting
> >
> > So it looks like that the new secure-file-priv option defaults to a
> > different
> > folder than specified as datadir in my config.
> > I've not touched the mysql settings manually.
> >
> > I've fixed the bug by adding the file
> > /etc/mysql/conf.d/fix-security-update-bug.cnf with contents
> >
> > [mysqld]
> > secure_file_priv=/var/lib/mysql
> >
> > Thanks for your work on the mysql packages,
> > Thomas
> >
> > -- System Information:
> > Debian Release: 8.6
> >    APT prefers stable
> >    APT policy: (500, 'stable')
> > Architecture: amd64 (x86_64)
> >
> > Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
> > Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
> > Shell: /bin/sh linked to /bin/dash
> > Init: systemd (via /run/systemd/system)
> >
> > Versions of packages mysql-server-5.5 depends on:
> > ii  adduser                3.113+nmu3
> > ii  debconf [debconf-2.0]  1.5.56
> > ii  initscripts            2.88dsf-59
> > ii  libc6                  2.19-18+deb8u6
> > ii  libdbi-perl            1.631-3+b1
> > ii  libgcc1                1:4.9.2-10
> > ii  libstdc++6             4.9.2-10
> > ii  lsb-base               4.1+Debian13+nmu1
> > iu  mysql-client-5.5       5.5.53-0+deb8u1
> > ii  mysql-common           5.5.53-0+deb8u1
> > iu  mysql-server-core-5.5  5.5.53-0+deb8u1
> > ii  passwd                 1:4.2-3+deb8u1
> > ii  perl                   5.20.2-3+deb8u6
> > ii  psmisc                 22.21-2
> > ii  zlib1g                 1:1.2.8.dfsg-2+b1
> >
> > Versions of packages mysql-server-5.5 recommends:
> > ii  libhtml-template-perl  2.95-1
> >
> > Versions of packages mysql-server-5.5 suggests:
> > ii  heirloom-mailx [mailx]  12.5-4
> > pn  tinyca                  <none>
> >
> > -- debconf information:
> >    mysql-server-5.5/postrm_remove_databases: false
> >    mysql-server-5.5/start_on_boot: true
> >    mysql-server/error_setting_password:
> >    mysql-server-5.5/nis_warning:
> >    mysql-server/password_mismatch:
> >    mysql-server-5.5/really_downgrade: false
> >    mysql-server/no_upgrade_when_using_ndb:
> >
> > _______________________________________________
> > pkg-mysql-maint mailing list
> > pkg-mysql-maint at lists.alioth.debian.org
> > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint
> 
>

More information about the pkg-mysql-maint mailing list