rpms/mysql
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Remove snippets from mysql-preparep-db-dir.sh that could have security impact

Browse Source 
Related: CVE-2017-3312
This commit is contained in:
Honza Horak 2017-07-31 18:08:50 +02:00
parent 87ebae8cab
commit dd8b0ea730
2 changed files with 52 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
community-mysql.spec
View File

@ -976,6 +976,8 @@ fi
* Fri Aug 04 2017 Honza Horak <hhorak@redhat.com> - 5.7.19-5 * Fri Aug 04 2017 Honza Horak <hhorak@redhat.com> - 5.7.19-5
- Allow to use MD5 in FIPS mode - Allow to use MD5 in FIPS mode
Related: #1449689 Related: #1449689
- Remove snippets from mysql-preparep-db-dir.sh that could have security impact
Related: CVE-2017-3312
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.19-4 * Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.19-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild

77
mysql-prepare-db-dir.sh
View File

@ -2,6 +2,16 @@
# This script creates the mysql data directory during first service start. # This script creates the mysql data directory during first service start.
# In subsequent starts, it does nothing much. # In subsequent starts, it does nothing much.
#
# This script is meant to be run as non-root user either during initscript
# or systemd service execution, before starting the mysqld daemon.
# Running it as root may have some security risks, because it touches files
# that can be symlinks pointing to unexpected locations.
#
# On the other hand, when using non-standard locations for datadir and logfile,
# this script might not be able to create the files and the daemon won't start
# properly. A solution for that is to created the locations for datadir and
# logfile with correct ownership before starting the daemon.
source "`dirname ${BASH_SOURCE[0]}`/mysql-scripts-common" source "`dirname ${BASH_SOURCE[0]}`/mysql-scripts-common"
@ -36,36 +46,51 @@ else
fi fi
# Set up the errlogfile with appropriate permissions # Set up the errlogfile with appropriate permissions
touch "$errlogfile" if [ ! -e "$errlogfile" -a ! -h "$errlogfile" -a x$(dirname "$errlogfile") = "x/var/log" ]; then
ret=$? case $(basename "$errlogfile") in
# Provide some advice if the log file cannot be touched mysql*.log|mariadb*.log) install /dev/null -m0640 -o$myuser -g$mygroup "$errlogfile" ;;
if [ $ret -ne 0 ] ; then *) ;;
errlogdir=$(dirname $errlogfile) esac
else
# Provide some advice if the log file cannot be created by this script
errlogdir=$(dirname "$errlogfile")
if ! [ -d "$errlogdir" ] ; then if ! [ -d "$errlogdir" ] ; then
echo "The directory $errlogdir does not exist." echo "The directory $errlogdir does not exist."
elif [ -f "$errlogfile" ] ; then exit 1
echo "The log file $errlogfile cannot be touched, please, fix its permissions." elif [ -e "$errlogfile" -a ! -w "$errlogfile" ] ; then
else echo "The log file $errlogfile cannot be written, please, fix its permissions."
echo "The log file $errlogfile could not be created." echo "The daemon will be run under $myuser:$mygroup"
exit 1
fi fi
echo "The daemon will be run under $myuser:$mygroup"
exit 1
fi fi
chown "$myuser:$mygroup" "$errlogfile"
chmod 0640 "$errlogfile"
[ -x /sbin/restorecon ] && /sbin/restorecon "$errlogfile"
# Make the data directory
if [ ! -d "$datadir/mysql" ] ; then
# First, make sure $datadir is there with correct permissions export LC_ALL=C
# (note: if it's not, and we're not root, this'll fail ...)
if [ ! -e "$datadir" -a ! -h "$datadir" ] # Returns content of the specified directory
then # If listing files fails, fake-file is returned so which means
mkdir -p "$datadir" || exit 1 # we'll behave like there was some data initialized
fi # Some files or directories are fine to be there, so those are
chown "$myuser:$mygroup" "$datadir" # explicitly removed from the listing
chmod 0755 "$datadir" # @param <dir> datadir
[ -x /sbin/restorecon ] && /sbin/restorecon "$datadir" list_datadir ()
{
( ls -1A "$1" 2>/dev/null || echo "fake-file" ) | grep -v \
-e '^lost+found$' \
-e '\.err$' \
-e '^\.bash_history$'
}
# Checks whether datadir should be initialized
# @param <dir> datadir
should_initialize ()
{
test -z "$(list_datadir "$1")"
}
# Make the data directory if doesn't exist or empty
if should_initialize "$datadir" ; then
# Now create the database # Now create the database
echo "Initializing @NICE_PROJECT_NAME@ database" echo "Initializing @NICE_PROJECT_NAME@ database"
@ -82,8 +107,6 @@ if [ ! -d "$datadir/mysql" ] ; then
fi fi
# upgrade does not need to be run on a fresh datadir # upgrade does not need to be run on a fresh datadir
echo "@VERSION@" >"$datadir/mysql_upgrade_info" echo "@VERSION@" >"$datadir/mysql_upgrade_info"
# In case we're running as root, make sure files are owned properly
chown -R "$myuser:$mygroup" "$datadir"
fi fi
exit 0 exit 0