Do not run parts of SysV init script as root if possible

community-mysql.spec

@@ -977,6 +977,7 @@ fi
 - Allow to use MD5 in FIPS mode
   Related: #1449689
 - Remove snippets from mysql-preparep-db-dir.sh that could have security impact
+  Do not run parts of SysV init script as root if possible
   Related: CVE-2017-3312
 
 * Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.19-4

mysql.init.in

@@ -71,8 +71,8 @@ start(){
 	action $"Starting $prog: " /bin/true
 	ret=0
     else
-        @libexecdir@/mysql-prepare-db-dir $MYUSER $MYGROUP || return 4
         @libexecdir@/mysql-check-socket || return 1
+        su - $MYUSER -s /bin/bash -c "@libexecdir@/mysql-prepare-db-dir $MYUSER $MYGROUP" || return 4
 
 	# Pass all the options determined above, to ensure consistent behavior.
 	# In many cases mysqld_safe would arrive at the same conclusions anyway
@@ -81,13 +81,13 @@ start(){
 	# and some users might prefer to configure logging to syslog.)
 	# Note: set --basedir to prevent probes that might trigger SELinux
 	# alarms, per bug #547485
-	$exec   --datadir="$datadir" --socket="$socketfile" \
+	su - $MYUSER -s /bin/bash -c "$exec   --datadir='$datadir' --socket='$socketfile' \
-		--pid-file="$pidfile" \
+		--pid-file='$pidfile' \
-		--basedir=@prefix@ --user=$MYUSER >/dev/null 2>&1 &
+		--basedir=@prefix@ --user=$MYUSER" >/dev/null 2>&1 &
 	safe_pid=$!
 
 	# Wait until the daemon is up
-        @libexecdir@/mysql-wait-ready "$safe_pid"
+        su - $MYUSER -s /bin/bash -c "@libexecdir@/mysql-wait-ready '$safe_pid'"
         ret=$?
 
 	if [ $ret -eq 0 ]; then