Re: [Maria-discuss] Critical Update for CVE-2016-6662

Mon, 12 Sep 2016 15:06:41 -0700 


Am 12.09.2016 um 23:58 schrieb Reinis Rozitis:

a service itself *must not* have the permissions to write it's config
files


The safeguard script also reads configuration files from MySQLs data
directory which is writable by the service


[root@srv-rhsoft:~]$ cat /etc/passwd | grep mysql
mysql:x:27:27:MySQL Server:/dev/null:/usr/sbin/nologin

"mysqld_safe" is deleted from packages for 5 years here


Though the author also cowers cases of bad configuration and possible
victims.


"Root-Code-Execution" is clickbait


Since when a CVE is a clickbait ..


the "Root-Code-Execution" part is


maybe someone consideres throw away "mysqld_safe" and stops starting it 
as root anyways since for high ports root permissions where *never* needed

__________________________________

* this below does the same as "mysqld_safe" way cleaner
* it restarts mysqld if it crashs
* it don't contain obscure shell scripts
* systemd don't need pid-files for tracking type=simple
* "mysqld-wait-ready" makes sure depedning service are
  started after the dameon is fully opertional
* no bit of mysql is running as root
__________________________________

[Service]
Type=simple
User=mysql
Group=mysql

ExecStart=/usr/libexec/mysqld --defaults-file=/etc/my.cnf 
--pid-file=/dev/null

ExecStartPost=/usr/libexec/mysqld-wait-ready $MAINPID
Environment="LANG=en_GB.UTF-8"
Restart=always
RestartSec=1
__________________________________

[root@srv-rhsoft:~]$ cat /usr/libexec/mysqld-wait-ready
#!/usr/bin/bash

# Service file passes us the daemon's PID
daemon_pid="$1"

# Wait for the server to come up or for the mysqld process to disappear
ret=0
while /usr/bin/true; do

 RESPONSE=`/usr/bin/mysqladmin --defaults-file=/etc/my.cnf 
--socket=/var/lib/mysql/mysql.sock --user=UNKNOWN_MYSQL_USER ping 2>&1`

 mret=$?
 if [ $mret -eq 0 ]; then
  break
 fi
 # exit codes 1, 11 (EXIT_CANNOT_CONNECT_TO_SERVICE) are expected,
 # anything else suggests a configuration error
 if [ $mret -ne 1 -a $mret -ne 11 ]; then
  ret=1
  break
 fi
 # "Access denied" also means the server is alive
 echo "$RESPONSE" | grep -q "Access denied for user" && break

 # Check process still exists
 if ! /usr/bin/kill -0 $daemon_pid 2>/dev/null; then
  ret=1
  break
 fi
 usleep 100000
done

exit $ret

_______________________________________________
Mailing list: https://launchpad.net/~maria-discuss
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~maria-discuss
More help   : https://help.launchpad.net/ListHelp
























					Reply via email to