From 1209ab5a997512de3eeae177754a9cee4a538095 Mon Sep 17 00:00:00 2001 From: Honza Horak Date: Mon, 31 Jul 2017 18:16:50 +0200 Subject: [PATCH] Include mysqld@.service file and do not run start scripts in the unit file as root --- community-mysql-scripts.patch | 3 +- community-mysql.spec | 7 +++-- mysql.service.in | 6 ++-- mysql@.service.in | 58 +++++++++++++++++++++++++++++++++++ 4 files changed, 68 insertions(+), 6 deletions(-) create mode 100644 mysql@.service.in diff --git a/community-mysql-scripts.patch b/community-mysql-scripts.patch index db6c70b..b1095ff 100644 --- a/community-mysql-scripts.patch +++ b/community-mysql-scripts.patch @@ -1,7 +1,7 @@ diff -rup mysql-5.7.8.orig/scripts/CMakeLists.txt mysql-5.7.8/scripts/CMakeLists.txt --- mysql-5.7.8.orig/scripts/CMakeLists.txt 2015-07-20 14:25:08.000000000 +0200 +++ mysql-5.7.8/scripts/CMakeLists.txt 2015-09-24 10:47:01.733914088 +0200 -@@ -483,6 +483,34 @@ ELSE() +@@ -483,6 +483,35 @@ ELSE() PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ ) ENDIF() @@ -10,6 +10,7 @@ diff -rup mysql-5.7.8.orig/scripts/CMakeLists.txt mysql-5.7.8/scripts/CMakeLists + SET(SYSTEMD_SCRIPTS + mysql.tmpfiles.d + mysql.service ++ mysql@.service + mysql-prepare-db-dir + mysql-wait-ready + mysql-wait-stop diff --git a/community-mysql.spec b/community-mysql.spec index 2b65fe5..3da0661 100644 --- a/community-mysql.spec +++ b/community-mysql.spec @@ -106,6 +106,7 @@ Source14: mysql-check-socket.sh Source15: mysql-scripts-common.sh Source16: mysql-check-upgrade.sh Source17: mysql-wait-stop.sh +Source18: mysql@.service.in Source19: mysql.init.in # To track rpmlint warnings Source30: mysql-5.6.10-rpmlintrc @@ -468,7 +469,7 @@ add_test innodb.innodb : missing correct value popd cp %{SOURCE2} %{SOURCE3} %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} \ - %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE17} %{SOURCE19} %{SOURCE31} scripts + %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE31} scripts %build # fail quickly and obviously if user tries to build as root @@ -576,6 +577,7 @@ install -D -p -m 0644 scripts/my.cnf %{buildroot}%{_sysconfdir}/my.cnf # install systemd unit files and scripts for handling server startup %if %{with init_systemd} install -D -p -m 644 scripts/mysql.service %{buildroot}%{_unitdir}/%{daemon_name}.service +install -D -p -m 644 scripts/mysql@.service %{buildroot}%{_unitdir}/%{daemon_name}@.service install -D -p -m 0644 scripts/mysql.tmpfiles.d %{buildroot}%{_tmpfilesdir}/%{daemon_name}.conf rm -r %{buildroot}%{_tmpfilesdir}/mysql.conf %endif @@ -979,6 +981,7 @@ fi - Remove snippets from mysql-preparep-db-dir.sh that could have security impact Do not run parts of SysV init script as root if possible Related: CVE-2017-3312 +- Include mysqld@.service file and do not run start scripts in the unit file as root * Wed Aug 02 2017 Fedora Release Engineering - 5.7.19-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild @@ -986,7 +989,7 @@ fi * Wed Jul 26 2017 Fedora Release Engineering - 5.7.19-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild -* Wed Jul 25 2017 Michal Schorm - 5.7.19-2 +* Tue Jul 25 2017 Michal Schorm - 5.7.19-2 - Replication tests in the testsuite enabled, they don't fail anymore - Retry count in the testsuite dropped to 0 diff --git a/mysql.service.in b/mysql.service.in index 32d22c8..256cac2 100644 --- a/mysql.service.in +++ b/mysql.service.in @@ -17,6 +17,9 @@ # [Service] # LimitNOFILE=10000 +# Or if you require to execute pre and post scripts in the unit file as root, set +# PermissionsStartOnly=true + # Note: /usr/lib/... is recommended in the .include line though /lib/... # still works. # Don't forget to reload systemd daemon after you change unit configuration: @@ -33,9 +36,6 @@ User=mysql Group=mysql PIDFile=@PID_FILE_DIR@/@DAEMON_NO_PREFIX@.pid -# Execute pre and post scripts as root -PermissionsStartOnly=true - ExecStartPre=@libexecdir@/mysql-check-socket ExecStartPre=@libexecdir@/mysql-prepare-db-dir %n # Note: we set --basedir to prevent probes that might trigger SELinux alarms, diff --git a/mysql@.service.in b/mysql@.service.in new file mode 100644 index 0000000..0f2d58a --- /dev/null +++ b/mysql@.service.in @@ -0,0 +1,58 @@ +# It's not recommended to modify this file in-place, because it will be +# overwritten during package upgrades. If you want to customize, the +# best way is to create a file "/etc/systemd/system/@DAEMON_NAME@.service", +# containing +# .include /usr/lib/systemd/system/@DAEMON_NAME@.service +# ...make your changes here... +# or create a file "/etc/systemd/system/@DAEMON_NAME@.service.d/foo.conf", +# which doesn't need to include ".include" call and which will be parsed +# after the file @DAEMON_NAME@.service itself is parsed. +# +# For more info about custom unit files, see systemd.unit(5) or +# http://fedoraproject.org/wiki/Systemd#How_do_I_customize_a_unit_file.2F_add_a_custom_unit_file.3F + +# For example, if you want to increase mysql's open-files-limit to 10000, +# you need to increase systemd's LimitNOFILE setting, so create a file named +# "/etc/systemd/system/@DAEMON_NAME@.service.d/limits.conf" containing: +# [Service] +# LimitNOFILE=10000 + +# Or if you require to execute pre and post scripts in the unit file as root, set +# PermissionsStartOnly=true + +# Note: /usr/lib/... is recommended in the .include line though /lib/... +# still works. +# Don't forget to reload systemd daemon after you change unit configuration: +# root> systemctl --system daemon-reload + +[Unit] +Description=@NICE_PROJECT_NAME@ @MAJOR_VERSION@.@MINOR_VERSION@ database server +After=syslog.target +After=network.target + +[Service] +Type=forking +User=mysql +Group=mysql +PIDFile=@PID_FILE_DIR@/@DAEMON_NO_PREFIX@.pid + +ExecStartPre=@libexecdir@/mysql-check-socket +ExecStartPre=@libexecdir@/mysql-prepare-db-dir %n +# Note: we set --basedir to prevent probes that might trigger SELinux alarms, +# per bug #547485 +ExecStart=@libexecdir@/mysqld --defaults-group-suffix=.%I --daemonize --basedir=@prefix@ --pid-file=@PID_FILE_DIR@/@DAEMON_NO_PREFIX@.pid +ExecStartPost=@libexecdir@/mysql-check-upgrade +ExecStopPost=@libexecdir@/mysql-wait-stop + +# Give a reasonable amount of time for the server to start up/shut down +TimeoutSec=300 + +# Place temp files in a secure directory, not /tmp +PrivateTmp=true + +Restart=on-failure + +RestartPreventExitStatus=1 + +[Install] +WantedBy=multi-user.target