Do not run parts of SysV init script as root if possible

2017-07-31 18:10:30 +02:00 · 2017-07-31 18:10:30 +02:00 · 435e717ad0
commit 435e717ad0
parent dd8b0ea730
2 changed files with 6 additions and 5 deletions
--- a/community-mysql.spec
+++ b/community-mysql.spec
@ -977,6 +977,7 @@ fi
 - Allow to use MD5 in FIPS mode
  Related: #1449689
 - Remove snippets from mysql-preparep-db-dir.sh that could have security impact
+  Do not run parts of SysV init script as root if possible
  Related: CVE-2017-3312

 * Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.19-4
--- a/mysql.init.in
+++ b/mysql.init.in
@ -71,8 +71,8 @@ start(){
 	action $"Starting $prog: " /bin/true
 	ret=0
    else
-        @libexecdir@/mysql-prepare-db-dir $MYUSER $MYGROUP || return 4
        @libexecdir@/mysql-check-socket || return 1
+        su - $MYUSER -s /bin/bash -c "@libexecdir@/mysql-prepare-db-dir $MYUSER $MYGROUP" || return 4

 	# Pass all the options determined above, to ensure consistent behavior.
 	# In many cases mysqld_safe would arrive at the same conclusions anyway
@ -81,13 +81,13 @@ start(){
 	# and some users might prefer to configure logging to syslog.)
 	# Note: set --basedir to prevent probes that might trigger SELinux
 	# alarms, per bug #547485
-	$exec   --datadir="$datadir" --socket="$socketfile" \
-		--pid-file="$pidfile" \
-		--basedir=@prefix@ --user=$MYUSER >/dev/null 2>&1 &
+	su - $MYUSER -s /bin/bash -c "$exec   --datadir='$datadir' --socket='$socketfile' \
+		--pid-file='$pidfile' \
+		--basedir=@prefix@ --user=$MYUSER" >/dev/null 2>&1 &
 	safe_pid=$!

 	# Wait until the daemon is up
-        @libexecdir@/mysql-wait-ready "$safe_pid"
+        su - $MYUSER -s /bin/bash -c "@libexecdir@/mysql-wait-ready '$safe_pid'"
        ret=$?

 	if [ $ret -eq 0 ]; then