[debian-mysql] Bug#843618: Bug#843618: mysql-server-5.5: Fails to start after recent security update
Thomas Braun
thomas at akwgegner.de
Tue Nov 8 12:30:33 UTC 2016
> Lars Tangvald <lars.tangvald at oracle.com> hat am 8. November 2016 um 12:28
> geschrieben:
Hi Lars,
thanks for the quick reply.
> It's probably something with your setup the upgrade logic can't handle
> correctly.
> In 5.5.53, MySQL changes the inbuilt secure-file-priv (determined where
> the server can read/write data for import/export operations) default
> setting from blank, meaning the server has read/write access anywhere,
> to /var/lib/mysql-files, which should be automatically created by the
> postinst. This is a fairly big change, but it was felt the old behavior
> was a big enough security risk to justify it.
> Do you have a special setup (partition, symlink, etc) for your /var/lib
> folders, so the default directory might not be possible to create/access?
>
> Finally, setting secure-file-priv to your datadir is very strongly
> recommended against, as it pretty much gives any database user full
> database access.
> We recommend either setting it to a separate location, or to NULL (only
> available in 5.5.53+), which will disable import/export operations for
> the server.
I've investigated and indeed /var/lib/mysql-files did not exist.
The reason was that another third-party (gitlab-ee) package depending on the
mysql-server package broke the apt-get upgrade,
leaving mysql-server's postinst script not executed.
I've reinstalled the mysql-server package, removed my hack and now it works
again.
Thanks again, especially about mentioning the security implications about my
hack,
Thomas
> On 11/08/2016 11:58 AM, Thomas Braun wrote:
> > Package: mysql-server-5.5
> > Version: 5.5.53-0+deb8u1
> > Severity: important
> >
> > Dear Maintainer,
> >
> > after tonights security update my mysql server does not start anymore.
> >
> > Looking in /var/log/mysql/error.log gives:
> > 161108 11:18:02 mysqld_safe Starting mysqld daemon with databases from
> > /var/lib/mysql
> > 161108 11:18:02 [Warning] Using unique option prefix key_buffer instead of
> > key_buffer_size is deprecated and will be removed in a future release.
> > Please
> > use the full name instead.
> > /usr/sbin/mysqld: Error on realpath() on '/var/lib/mysql-files' (Error 2)
> > 161108 11:18:02 [ERROR] Failed to access directory for --secure-file-priv.
> > Please make sure that directory exists and is accessible by MySQL Server.
> > Supplied value : /var/lib/mysql-files
> > 161108 11:18:02 [ERROR] Aborting
> >
> > So it looks like that the new secure-file-priv option defaults to a
> > different
> > folder than specified as datadir in my config.
> > I've not touched the mysql settings manually.
> >
> > I've fixed the bug by adding the file
> > /etc/mysql/conf.d/fix-security-update-bug.cnf with contents
> >
> > [mysqld]
> > secure_file_priv=/var/lib/mysql
> >
> > Thanks for your work on the mysql packages,
> > Thomas
> >
> > -- System Information:
> > Debian Release: 8.6
> > APT prefers stable
> > APT policy: (500, 'stable')
> > Architecture: amd64 (x86_64)
> >
> > Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
> > Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
> > Shell: /bin/sh linked to /bin/dash
> > Init: systemd (via /run/systemd/system)
> >
> > Versions of packages mysql-server-5.5 depends on:
> > ii adduser 3.113+nmu3
> > ii debconf [debconf-2.0] 1.5.56
> > ii initscripts 2.88dsf-59
> > ii libc6 2.19-18+deb8u6
> > ii libdbi-perl 1.631-3+b1
> > ii libgcc1 1:4.9.2-10
> > ii libstdc++6 4.9.2-10
> > ii lsb-base 4.1+Debian13+nmu1
> > iu mysql-client-5.5 5.5.53-0+deb8u1
> > ii mysql-common 5.5.53-0+deb8u1
> > iu mysql-server-core-5.5 5.5.53-0+deb8u1
> > ii passwd 1:4.2-3+deb8u1
> > ii perl 5.20.2-3+deb8u6
> > ii psmisc 22.21-2
> > ii zlib1g 1:1.2.8.dfsg-2+b1
> >
> > Versions of packages mysql-server-5.5 recommends:
> > ii libhtml-template-perl 2.95-1
> >
> > Versions of packages mysql-server-5.5 suggests:
> > ii heirloom-mailx [mailx] 12.5-4
> > pn tinyca <none>
> >
> > -- debconf information:
> > mysql-server-5.5/postrm_remove_databases: false
> > mysql-server-5.5/start_on_boot: true
> > mysql-server/error_setting_password:
> > mysql-server-5.5/nis_warning:
> > mysql-server/password_mismatch:
> > mysql-server-5.5/really_downgrade: false
> > mysql-server/no_upgrade_when_using_ndb:
> >
> > _______________________________________________
> > pkg-mysql-maint mailing list
> > pkg-mysql-maint at lists.alioth.debian.org
> > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint
>
>
More information about the pkg-mysql-maint
mailing list