Remove snippets from mysql-preparep-db-dir.sh that could have security impact
Related: CVE-2017-3312
This commit is contained in:
parent
6a32704ac7
commit
59dd61704a
@ -976,6 +976,8 @@ fi
|
|||||||
* Fri Aug 04 2017 Honza Horak <hhorak@redhat.com> - 5.7.19-5
|
* Fri Aug 04 2017 Honza Horak <hhorak@redhat.com> - 5.7.19-5
|
||||||
- Allow to use MD5 in FIPS mode
|
- Allow to use MD5 in FIPS mode
|
||||||
Related: #1449689
|
Related: #1449689
|
||||||
|
- Remove snippets from mysql-preparep-db-dir.sh that could have security impact
|
||||||
|
Related: CVE-2017-3312
|
||||||
|
|
||||||
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.19-4
|
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.19-4
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||||
|
@ -2,6 +2,16 @@
|
|||||||
|
|
||||||
# This script creates the mysql data directory during first service start.
|
# This script creates the mysql data directory during first service start.
|
||||||
# In subsequent starts, it does nothing much.
|
# In subsequent starts, it does nothing much.
|
||||||
|
#
|
||||||
|
# This script is meant to be run as non-root user either during initscript
|
||||||
|
# or systemd service execution, before starting the mysqld daemon.
|
||||||
|
# Running it as root may have some security risks, because it touches files
|
||||||
|
# that can be symlinks pointing to unexpected locations.
|
||||||
|
#
|
||||||
|
# On the other hand, when using non-standard locations for datadir and logfile,
|
||||||
|
# this script might not be able to create the files and the daemon won't start
|
||||||
|
# properly. A solution for that is to created the locations for datadir and
|
||||||
|
# logfile with correct ownership before starting the daemon.
|
||||||
|
|
||||||
source "`dirname ${BASH_SOURCE[0]}`/mysql-scripts-common"
|
source "`dirname ${BASH_SOURCE[0]}`/mysql-scripts-common"
|
||||||
|
|
||||||
@ -36,36 +46,51 @@ else
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Set up the errlogfile with appropriate permissions
|
# Set up the errlogfile with appropriate permissions
|
||||||
touch "$errlogfile"
|
if [ ! -e "$errlogfile" -a ! -h "$errlogfile" -a x$(dirname "$errlogfile") = "x/var/log" ]; then
|
||||||
ret=$?
|
case $(basename "$errlogfile") in
|
||||||
# Provide some advice if the log file cannot be touched
|
mysql*.log|mariadb*.log) install /dev/null -m0640 -o$myuser -g$mygroup "$errlogfile" ;;
|
||||||
if [ $ret -ne 0 ] ; then
|
*) ;;
|
||||||
errlogdir=$(dirname $errlogfile)
|
esac
|
||||||
|
else
|
||||||
|
# Provide some advice if the log file cannot be created by this script
|
||||||
|
errlogdir=$(dirname "$errlogfile")
|
||||||
if ! [ -d "$errlogdir" ] ; then
|
if ! [ -d "$errlogdir" ] ; then
|
||||||
echo "The directory $errlogdir does not exist."
|
echo "The directory $errlogdir does not exist."
|
||||||
elif [ -f "$errlogfile" ] ; then
|
exit 1
|
||||||
echo "The log file $errlogfile cannot be touched, please, fix its permissions."
|
elif [ -e "$errlogfile" -a ! -w "$errlogfile" ] ; then
|
||||||
else
|
echo "The log file $errlogfile cannot be written, please, fix its permissions."
|
||||||
echo "The log file $errlogfile could not be created."
|
echo "The daemon will be run under $myuser:$mygroup"
|
||||||
|
exit 1
|
||||||
fi
|
fi
|
||||||
echo "The daemon will be run under $myuser:$mygroup"
|
|
||||||
exit 1
|
|
||||||
fi
|
fi
|
||||||
chown "$myuser:$mygroup" "$errlogfile"
|
|
||||||
chmod 0640 "$errlogfile"
|
|
||||||
[ -x /sbin/restorecon ] && /sbin/restorecon "$errlogfile"
|
|
||||||
|
|
||||||
# Make the data directory
|
|
||||||
if [ ! -d "$datadir/mysql" ] ; then
|
|
||||||
# First, make sure $datadir is there with correct permissions
|
export LC_ALL=C
|
||||||
# (note: if it's not, and we're not root, this'll fail ...)
|
|
||||||
if [ ! -e "$datadir" -a ! -h "$datadir" ]
|
# Returns content of the specified directory
|
||||||
then
|
# If listing files fails, fake-file is returned so which means
|
||||||
mkdir -p "$datadir" || exit 1
|
# we'll behave like there was some data initialized
|
||||||
fi
|
# Some files or directories are fine to be there, so those are
|
||||||
chown "$myuser:$mygroup" "$datadir"
|
# explicitly removed from the listing
|
||||||
chmod 0755 "$datadir"
|
# @param <dir> datadir
|
||||||
[ -x /sbin/restorecon ] && /sbin/restorecon "$datadir"
|
list_datadir ()
|
||||||
|
{
|
||||||
|
( ls -1A "$1" 2>/dev/null || echo "fake-file" ) | grep -v \
|
||||||
|
-e '^lost+found$' \
|
||||||
|
-e '\.err$' \
|
||||||
|
-e '^\.bash_history$'
|
||||||
|
}
|
||||||
|
|
||||||
|
# Checks whether datadir should be initialized
|
||||||
|
# @param <dir> datadir
|
||||||
|
should_initialize ()
|
||||||
|
{
|
||||||
|
test -z "$(list_datadir "$1")"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Make the data directory if doesn't exist or empty
|
||||||
|
if should_initialize "$datadir" ; then
|
||||||
|
|
||||||
# Now create the database
|
# Now create the database
|
||||||
echo "Initializing @NICE_PROJECT_NAME@ database"
|
echo "Initializing @NICE_PROJECT_NAME@ database"
|
||||||
@ -82,8 +107,6 @@ if [ ! -d "$datadir/mysql" ] ; then
|
|||||||
fi
|
fi
|
||||||
# upgrade does not need to be run on a fresh datadir
|
# upgrade does not need to be run on a fresh datadir
|
||||||
echo "@VERSION@" >"$datadir/mysql_upgrade_info"
|
echo "@VERSION@" >"$datadir/mysql_upgrade_info"
|
||||||
# In case we're running as root, make sure files are owned properly
|
|
||||||
chown -R "$myuser:$mygroup" "$datadir"
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
Loading…
Reference in New Issue
Block a user