[debian-mysql] Bug#1022994: mariadb-server: Initial DB creation fails with libpam-tmpdir installed
Sunil Mohan Adapa
sunil at medhas.org
Fri Oct 28 21:27:15 BST 2022
Package: mariadb-server
Version: 1:10.6.10-1
Severity: important
Tags: upstream
Dear Maintainer,
This bug has been reported upstream but may need a workaround in Debian.
https://jira.mariadb.org/browse/MDEV-29910
Description
-----------
On Debian GNU/Linux, when the package libpam-tmpdir is installed,
mysql_install_db script fails during post install setup. As a result, mariadb
daemon fails to start. The following error message is shown:
rm -rf /var/lib/mysql ; mysql_install_db --rpm --cross-bootstrap --user=mysql
--disable-log-bin --skip-test-db
2022-10-28 19:33:00 0 [ERROR] mariadbd: Can't create/write to file
'/tmp/user/0/ib2C7oNS' (Errcode: 13 "Permission denied")
2022-10-28 19:33:00 0 [ERROR] InnoDB: Unable to create temporary file; errno:
13
2022-10-28 19:33:00 0 [ERROR] mariadbd: Can't create/write to file
'/tmp/user/0/ibykVtxz' (Errcode: 13 "Permission denied")
2022-10-28 19:33:00 0 [ERROR] InnoDB: Unable to create temporary file; errno:
13
2022-10-28 19:33:00 0 [ERROR] InnoDB: Database creation was aborted with error
Generic error. You may need to delete the ibdata1 file before trying to start
up again.
2022-10-28 19:33:00 0 [ERROR] Plugin 'InnoDB' init function returned error.
2022-10-28 19:33:00 0 [ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE
failed.
2022-10-28 19:33:00 0 [ERROR] Unknown/unsupported storage engine: InnoDB
2022-10-28 19:33:00 0 [ERROR] Aborting
Installation of system tables failed! Examine the logs in
/var/lib/mysql for more information.
Environment
-----------
On FreedomBox (a pure blend of Debian), several applications that depend on
mariadb fail to install when running on Debian testing/unstable. This is due to
mariadb not running soon after installation. FreedomBox installs that package
libpam-tmpdir by default. If this package is removed, mariadb server is running
successfully after install.
This bug was reproduced on Debian unstable (as of 2022-10-28) with
mariadb-server package version 1:10.6.10-1+b1.
Workarounds
-----------
1. If libpam-tmpdir package is removed, the installation and daemon start
succeed.
2. When the environment variable TMPDIR is set to empty value, the
mysql_install_db command succeeds. Example:
rm -rf /var/lib/mysql ; TMPDIR= mysql_install_db --rpm --cross-bootstrap
--user=mysql --disable-log-bin --skip-test-db
3. When mysql_install_db is not run are root, the problem is not observed.
Example:
rm -rf /var/lib/mysql ; mkdir /var/lib/mysql; chown mysql:mysql
/var/lib/mysql/ ; sudo -u mysql mysql_install_db --rpm --cross-bootstrap
--user=mysql --disable-log-bin --skip-test-db
Regression
----------
This error does not occur on Debian stable (bullseye) where mariadb package
version is 1:10.5.15-0+deb11u1. Hence this is a regression since that version.
Analysis
--------
According to pam-tmpdir: "Many programs use $TMPDIR for storing temporary
files.
Not all of them are good at securing the permissions of those files.
libpam-tmpdir sets $TMPDIR and $TMP for PAM sessions and sets the permissions
quite tight. This helps system security by having an extra layer of security,
making such symlink attacks and other /tmp based attacks harder or impossible".
Errors like the one being reported are typically seen when directories/files
are
created by root user in the $TMPDIR and later a non-root user tries to access
those files without any further permission changes. libpam-tmpdir tries to
ensure that temporary files created by one user are not accidentally accessible
to unauthorized users.
During 10.6.x release cycle a change was introduced that makes this mistake. It
creates files as 'root' and then tries to access them as 'mysql' user. The
problem can be fixed by:
1. Copying the files temporarily created by 'root' user to a location
accessible
to the 'mysql' user and then setting proper ownership, or by
2. Creating all the temporary files with 'mysql' user to start with.
More information about the pkg-mysql-maint
mailing list