I think moving tmpdir to /var/tmp/mysql is fine (though remember
/var/tmp is not automatically cleaned). This directory would then not be
sticky and lack world writes? Would it also be 0700? If it is 0755 then
mysql's umask should be 077.
--
You received this bug notification because you are a
So, now that some time has passed and I've been able to think about this
some, I think we should relax the apparmor profile back to the regulr
tmpdir abstraction.
YES it would be more secure to be able to say you can't create files
even if you want to because apparmor is restricting users.
But
** Changed in: mysql-dfsg-5.1 (Ubuntu)
Status: Confirmed = In Progress
** Changed in: mysql-dfsg-5.1 (Ubuntu)
Assignee: (unassigned) = Thierry Carrez (ttx)
--
MySQL must not use /tmp
https://bugs.launchpad.net/bugs/375371
You received this bug notification because you are a member
Proposed branch fails to build, so back to the drawing board :)
** Changed in: mysql-dfsg-5.1 (Ubuntu)
Assignee: Thierry Carrez (ttx) = Clint Byrum (clint-fewbar)
--
MySQL must not use /tmp
https://bugs.launchpad.net/bugs/375371
You received this bug notification because you are a member
What about this one:
c) adjust the automated build tests to use /var/tmp/mysql instead of /tmp
--
MySQL must not use /tmp
https://bugs.launchpad.net/bugs/375371
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu.
--
Hi Jamie, I did think of that, though I'm glad you brought it up as I
should have mentioned it.
The build portion of a package must be runnable as a non-root user.
The whole point of using /var/tmp/mysql and not the user-tmp abstraction
is that it is only accessible by the mysql user. So we
I'm slightly confused. These build tests are using an installed, live
mysql server and create temporary files somewhere in such a way that
mysqld needs to read them?
If that is the case, then maybe we could add to the mysqld profile something
like:
owner /var/tmp/mysql/** rwkl,
owner
err... this:
# chown mysql:mysql
should have been:
# chown mysql:mysql /var/tmp/mysql
--
MySQL must not use /tmp
https://bugs.launchpad.net/bugs/375371
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu.
--
No! These build tests start their own private mysqld as the user running
the build step, not as mysql.
Further, that mysqld needs to be able to write to the directory during
these tests, so the readonly restriction would prevent that.
To be fair, if they build-depend on mysql-server-core, and
/var/tmp/mysql-buildtests was intended to be the location for mysql to
read from, but still use --tmpdir /var/tmp/mysql. Based on your comment,
this isn't going to work anyway because of the permissions on
/var/tmp/mysql and running as non-mysql. Additionally, in discussing
this with mdeslaur,
Ok, did you want me to post the results of that here, or was that more
of an admonition that they should be run in general?
From what I see in the code base there, they run as root so
/var/tmp/mysql should be fine.
--
MySQL must not use /tmp
https://bugs.launchpad.net/bugs/375371
You received
Sorry for not being clear. This was just strong encouragement that we
need to do it in general so that we can catch profiling errors before
users see them.
--
MySQL must not use /tmp
https://bugs.launchpad.net/bugs/375371
You received this bug notification because you are a member of Ubuntu
I have found at least two instances where the change to restrict mysqld
from writing to dirs outside /var/tmp/mysql breaks automated build tests
that spawn a mysqld instance to run tests.
Given that, we can either
a) Modify build tests to copy /usr/sbin/mysqld to the local build dir to
run the
MySQL would be stopped and restarted, would that take care of the /tmp backlog ?
If not, then it could indeed be an issue.
Moving files from /tmp to /var/tmp/mysql would need extra care (to not
inject rogue files). Maybe asking MySQL to commit /tmp backlog before
upgrade (if that makes sense) is
From http://dev.mysql.com/doc/refman/5.1/en/temporary-files.html
A replication slave needs some of its temporary files to survive a
machine restart so that it can replicate temporary tables or LOAD DATA
INFILE operations. If files in the temporary file directory are lost
when the server restarts,
I ran the mysql-testsuite with the version of the package in the merge
proposal.
Attaching the results. Looks good to go, though the test suite must be
run with both vardir and tmpdir set to directories underneath
/var/tmp/mysql, because the mysqld that is spawned must write files
somewhere. This
Thanks, Clint! I've fixed up the test script in lp:qa-regression-testing
to take all this into account.
--
MySQL must not use /tmp
https://bugs.launchpad.net/bugs/375371
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-dfsg-5.1 in
I just had a thought, should we check for un-applied data files in /tmp
when upgrading, and move them to /var/tmp/mysql ? If somebody upgrades
an active slave, that could be a huge problem.
--
MySQL must not use /tmp
https://bugs.launchpad.net/bugs/375371
You received this bug notification
Alright, absent comment I've erred on the side of security. Merge
proposal updated to reflect the apparmor/upstart changes necessary to
lock down tmpdir to /var/tmp/mysql.
--
MySQL must not use /tmp
https://bugs.launchpad.net/bugs/375371
You received this bug notification because you are a
One thing that I'm seeing that may need to be documented, is that this
breaks mysql-testsuite in its default configuration.
Because we can no longer let /usr/sbin/mysqld write to /tmp at will, the
test suite won't start without some coaxing. This works
sudo -u mysql
Thanks for your work on this Clint; it is much appreciated.
I'd prefer not to adjust the profile for the test suite. @{HOME} in an AppArmor
profile does not expand to the process' uid's HOME, but the value of the
@{HOME} variable as set in /etc/apparmor.d/tunables/home. As such, this expands
** This bug has been flagged as a security vulnerability
--
MySQL must not use /tmp
https://bugs.launchpad.net/bugs/375371
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu.
--
Ubuntu-server-bugs mailing list
Bug #578922 discusses security implications of having MySQL use /tmp as
its temporary directory, and I have redirected that part of the
discussion of that bug here. Basically, if MySQL can write to a world-
readable directory, then an SQL injection in a web application could
write out a file to
I like it. The FILE permission has caused me quite a bit of pain in the
past, and quite a few shops just run mysql with 'ALL PRIVILEGES ON *.*'
for their app users because they don't want to deal with grants or don't
understand.
The only issue would be that if users actually depend on the ability
** Tags added: patch
--
MySQL must not use /tmp
https://bugs.launchpad.net/bugs/375371
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
** Changed in: mysql-dfsg-5.1 (Ubuntu)
Status: Triaged = In Progress
** Changed in: mysql-dfsg-5.1 (Ubuntu)
Assignee: (unassigned) = Clint Byrum (clint-fewbar)
--
MySQL must not use /tmp
https://bugs.launchpad.net/bugs/375371
You received this bug notification because you are a
** Branch linked: lp:~clint-fewbar/ubuntu/maverick/mysql-5.1/maverick-
beta-papercuts
--
MySQL must not use /tmp
https://bugs.launchpad.net/bugs/375371
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu.
--
** Changed in: server-papercuts
Importance: Undecided = Medium
** Changed in: server-papercuts
Status: New = Confirmed
** Changed in: server-papercuts
Milestone: None = maverick-beta
--
MySQL must not use /tmp
https://bugs.launchpad.net/bugs/375371
You received this bug
** Changed in: server-papercuts
Assignee: (unassigned) = Clint Byrum (clint-fewbar)
--
MySQL must not use /tmp
https://bugs.launchpad.net/bugs/375371
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu.
--
** Also affects: server-papercuts
Importance: Undecided
Status: New
--
MySQL must not use /tmp
https://bugs.launchpad.net/bugs/375371
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu.
--
The default my.cnf still lists /tmp as temp directory
** Changed in: mysql-dfsg-5.0 (Ubuntu)
Status: Incomplete = In Progress
--
MySQL must not use /tmp
https://bugs.launchpad.net/bugs/375371
You received this bug notification because you are a member of Ubuntu
Server Team, which is
Please use In Progress if you're actually working on providing a fix and
assign yourself to the bug.
** Changed in: mysql-dfsg-5.0 (Ubuntu)
Status: In Progress = Triaged
--
MySQL must not use /tmp
https://bugs.launchpad.net/bugs/375371
You received this bug notification because you are a
Thank you for taking the time to report this bug and helping to make
Ubuntu better. The issue that you reported is one that should be
reproducible with the live environment of the Desktop CD of the
development release - Karmic Koala. It would help us greatly if you
could test with it so we can
** Changed in: mysql-dfsg-5.0 (Ubuntu)
Importance: Undecided = Medium
--
MySQL must not use /tmp
https://bugs.launchpad.net/bugs/375371
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-dfsg-5.0 in ubuntu.
--
Ubuntu-server-bugs
** Package changed: ubuntu = mysql-dfsg-5.0 (Ubuntu)
--
MySQL must not use /tmp
https://bugs.launchpad.net/bugs/375371
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-dfsg-5.0 in ubuntu.
--
Ubuntu-server-bugs mailing list
35 matches
Mail list logo
