[debian-mysql] Bug#945051: galera-3: incompatible with fs.protected_regular = 1

Alexander E. Patrakov patrakov at gmail.com
Tue Nov 19 00:33:02 GMT 2019 

Package: galera-3
Version: 25.3.25-2
Severity: normal

Dear Maintainer,

I have tried to install mariadb-server and galera-3 in LXC containers. 
The host is Arch Linux, that's why the strange kernel version.

Unfortunately, mariadb.service fails to start. The error message is:

/usr/bin/galera_recovery: 71: /usr/bin/galera_recovery: cannot create 
/tmp/wsrep_recovery.BLuWHq: Permission denied

The root cause is that Arch enables fs.protected_regular = 1 by default, 
and the /usr/bin/galera_recovery script contains a pattern that is 
exactly meant to be prevented by fs.protected_regular = 1. In particular:

  28 log_file=$(mktemp /tmp/wsrep_recovery.XXXXXX)
... (in a function)
  71   eval /usr/sbin/mysqld $cmdline_args --user=$user --wsrep_recover \
  72     --disable-log-error 2> "$log_file"
...
104   [ "$euid" = "0" ] && chown $user $log_file

Lines 28 and 104 create a file with mysql:root ownerwhip in a sticky 
directory, lines 71-72 open it as root.

Because Linux checks permissions on open(), and open() happens as root 
in line 72, I see no point in line 104. Removing it makes the script 
compatible with fs.protected_regular = 1.

-- System Information:
Debian Release: 10.2
   APT prefers stable
   APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.3.11-arch1-1 (SMP w/8 CPU cores; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE # wireguard
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages galera-3 depends on:
ii  libc6       2.28-10
ii  libgcc1     1:8.3.0-6
ii  libssl1.1   1.1.1d-0+deb10u2
ii  libstdc++6  8.3.0-6

galera-3 recommends no packages.

galera-3 suggests no packages.

-- no debconf information

-- 
Alexander E. Patrakov

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4052 bytes
Desc: Криптографическая подпись S/MIME
URL: <http://alioth-lists.debian.net/pipermail/pkg-mysql-maint/attachments/20191119/02e2d579/attachment.bin>

More information about the pkg-mysql-maint mailing list