From 435e717ad0ea73e3c4af48dbd0b3b6cc495aef82 Mon Sep 17 00:00:00 2001 From: Honza Horak Date: Mon, 31 Jul 2017 18:10:30 +0200 Subject: [PATCH] Do not run parts of SysV init script as root if possible --- community-mysql.spec | 1 + mysql.init.in | 10 +++++----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/community-mysql.spec b/community-mysql.spec index e2df280..2b65fe5 100644 --- a/community-mysql.spec +++ b/community-mysql.spec @@ -977,6 +977,7 @@ fi - Allow to use MD5 in FIPS mode Related: #1449689 - Remove snippets from mysql-preparep-db-dir.sh that could have security impact + Do not run parts of SysV init script as root if possible Related: CVE-2017-3312 * Wed Aug 02 2017 Fedora Release Engineering - 5.7.19-4 diff --git a/mysql.init.in b/mysql.init.in index e9a34c2..983e50d 100644 --- a/mysql.init.in +++ b/mysql.init.in @@ -71,8 +71,8 @@ start(){ action $"Starting $prog: " /bin/true ret=0 else - @libexecdir@/mysql-prepare-db-dir $MYUSER $MYGROUP || return 4 @libexecdir@/mysql-check-socket || return 1 + su - $MYUSER -s /bin/bash -c "@libexecdir@/mysql-prepare-db-dir $MYUSER $MYGROUP" || return 4 # Pass all the options determined above, to ensure consistent behavior. # In many cases mysqld_safe would arrive at the same conclusions anyway @@ -81,13 +81,13 @@ start(){ # and some users might prefer to configure logging to syslog.) # Note: set --basedir to prevent probes that might trigger SELinux # alarms, per bug #547485 - $exec --datadir="$datadir" --socket="$socketfile" \ - --pid-file="$pidfile" \ - --basedir=@prefix@ --user=$MYUSER >/dev/null 2>&1 & + su - $MYUSER -s /bin/bash -c "$exec --datadir='$datadir' --socket='$socketfile' \ + --pid-file='$pidfile' \ + --basedir=@prefix@ --user=$MYUSER" >/dev/null 2>&1 & safe_pid=$! # Wait until the daemon is up - @libexecdir@/mysql-wait-ready "$safe_pid" + su - $MYUSER -s /bin/bash -c "@libexecdir@/mysql-wait-ready '$safe_pid'" ret=$? if [ $ret -eq 0 ]; then