- chown --no-dereference instead of chown to improve security

- fix build for ppc64 using -mminimal-toc

OBS-URL: https://build.opensuse.org/package/show/server:database/mariadb?expand=0&rev=129
This commit is contained in:
Michal Hrusecky (old before rename to _miska_) 2013-08-12 12:34:46 +00:00 committed by Git OBS Bridge
parent 9cefabf9c7
commit 45b9473e1f
5 changed files with 21 additions and 12 deletions

View File

@ -4,9 +4,12 @@
%define socketpath /var/run/mysql %define socketpath /var/run/mysql
%endif %endif
%if 0%{?suse_version} > 1140 %if 0%{?suse_version} > 1140
export WARN_DIS="$WARN_DIS -Wno-unused-but-set-variable -fno-strict-aliasing -Wno-unused-parameter " export EXTRA_FLAGS=" -Wno-unused-but-set-variable -fno-strict-aliasing -Wno-unused-parameter "
%endif %endif
export CFLAGS="$RPM_OPT_FLAGS -DPIC -fPIC -DFORCE_INIT_OF_VARS $WARN_DIS " %ifarch ppc64
export EXTRA_FLAGS=" -mminimal-toc "
%endif
export CFLAGS="$RPM_OPT_FLAGS -DPIC -fPIC -DFORCE_INIT_OF_VARS $EXTRA_FLAGS "
export CXXFLAGS="$CFLAGS -fno-exceptions -fno-rtti" export CXXFLAGS="$CFLAGS -fno-exceptions -fno-rtti"
%if 0%{use_cmake} < 1 %if 0%{use_cmake} < 1

View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1 version https://git-lfs.github.com/spec/v1
oid sha256:219b058d331b9ac48e9ee207888ea60adc3e086733e7cda68592a04951bfb30e oid sha256:5e1d7b3da204d4812554888639fd49101b3a2d87c41bac802df35cf794ef088c
size 317 size 312

View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Mon Aug 12 14:32:51 CEST 2013 - mhrusecky@suse.cz
- chown --no-dereference instead of chown to improve security
- fix build for ppc64 using -mminimal-toc
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Aug 12 12:25:16 CEST 2013 - mhrusecky@suse.cz Mon Aug 12 12:25:16 CEST 2013 - mhrusecky@suse.cz

View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1 version https://git-lfs.github.com/spec/v1
oid sha256:8d8547e5bd6984bdbff29f6f6f1bfa78a18353a9389c5f47a708d8c52f07fe53 oid sha256:3c9a38335384fb99e0ac76488a2dd72cefa8fbca5f9f2b191c2348ecc64d6b0b
size 13345 size 13306

View File

@ -273,7 +273,7 @@ else
parse_arguments `$print_defaults $defaults mysqld mysql_server` parse_arguments `$print_defaults $defaults mysqld mysql_server`
mkdir -m 755 -p /var/run/mysql mkdir -m 755 -p /var/run/mysql
chown $mysql_daemon_user:$mysql_daemon_group /var/run/mysql chown --no-dereference "$mysql_daemon_user:$mysql_daemon_group" /var/run/mysql
export TEMPDIR="`cat /var/run/mysql/tmpdir 2> /dev/null`" export TEMPDIR="`cat /var/run/mysql/tmpdir 2> /dev/null`"
# Safeguard (relative paths, core dumps..) # Safeguard (relative paths, core dumps..)
@ -292,7 +292,7 @@ else
rm -rf "$TEMPDIR" rm -rf "$TEMPDIR"
fi fi
TEMPDIR="`mktemp -d -p /var/tmp mysql.XXXXXX | tee /var/run/mysql/tmpdir`" TEMPDIR="`mktemp -d -p /var/tmp mysql.XXXXXX | tee /var/run/mysql/tmpdir`"
[ -z "$TEMPDIR" ] || chown "$mysql_daemon_user:$mysql_daemon_group" "$TEMPDIR" [ -z "$TEMPDIR" ] || chown --no-dereference "$mysql_daemon_user:$mysql_daemon_group" "$TEMPDIR"
[ "`ls -ld "$TEMPDIR" | grep "^drwx------[\\.\+]\?[[:blank:]]\+[0-9]\+[[:blank:]]\+$mysql_daemon_user[[:blank:]]\+$mysql_daemon_group[[:blank:]]\+.*"`" ] || { [ "`ls -ld "$TEMPDIR" | grep "^drwx------[\\.\+]\?[[:blank:]]\+[0-9]\+[[:blank:]]\+$mysql_daemon_user[[:blank:]]\+$mysql_daemon_group[[:blank:]]\+.*"`" ] || {
echo "Can't create secure $TEMPDIR" echo "Can't create secure $TEMPDIR"
rc_failed; rc_status -v; rc_exit; rc_failed; rc_status -v; rc_exit;
@ -331,7 +331,7 @@ else
mkdir -p "$log_dir" mkdir -p "$log_dir"
fi fi
chmod 770 "$log_dir" chmod 770 "$log_dir"
chown -R mysql:mysql "$log_dir" chown -R --no-dereference mysql:mysql "$log_dir"
done done
MYSQLVER="`mysqld --version | sed 's|.*Ver\ *\([^\ ]*\)\.[0-9]\+[\-\ ].*|\1|'`" MYSQLVER="`mysqld --version | sed 's|.*Ver\ *\([^\ ]*\)\.[0-9]\+[\-\ ].*|\1|'`"
@ -418,7 +418,7 @@ else
# reloads privileges tables, so we can get lock out # reloads privileges tables, so we can get lock out
for cmd in "/usr/bin/mysql_upgrade" \ for cmd in "/usr/bin/mysql_upgrade" \
"/usr/bin/mysql_upgrade"; do "/usr/bin/mysql_upgrade"; do
[ -z "$protected" ] || chown "$mysql_daemon_user:$mysql_daemon_group" "$protected" [ -z "$protected" ] || chown --no-dereference "$mysql_daemon_user:$mysql_daemon_group" "$protected"
[ "`ls -ld "$protected" | grep "^drwx------[\\.\+]\?[[:blank:]]\+[0-9]\+[[:blank:]]\+$mysql_daemon_user[[:blank:]]\+$mysql_daemon_group[[:blank:]]\+.*"`" ] || { [ "`ls -ld "$protected" | grep "^drwx------[\\.\+]\?[[:blank:]]\+[0-9]\+[[:blank:]]\+$mysql_daemon_user[[:blank:]]\+$mysql_daemon_group[[:blank:]]\+.*"`" ] || {
echo "Can't create secure $protected" | tee -a "$log_upgrade" echo "Can't create secure $protected" | tee -a "$log_upgrade"
touch /var/lib/mysql/.run-mysql_upgrade touch /var/lib/mysql/.run-mysql_upgrade
@ -481,12 +481,12 @@ else
rm -rf "$protected" rm -rf "$protected"
# Fix ownerships and permissions for $datadir # Fix ownerships and permissions for $datadir
chmod 750 "$datadir" chmod 750 "$datadir"
chown -R "$mysql_daemon_user:$mysql_daemon_group" "$datadir" chown -R --no-dereference "$mysql_daemon_user:$mysql_daemon_group" "$datadir"
rm -f /var/adm/update-messages/mysql-* rm -f /var/adm/update-messages/mysql-*
rm -f /var/lib/mysql/.run-mysql_upgrade rm -f /var/lib/mysql/.run-mysql_upgrade
rm -f /var/lib/mysql/.force_upgrade rm -f /var/lib/mysql/.force_upgrade
rm -f "$datadir"/{update-stamp-*,mysql/stamp-4.1} # used in the past rm -f "$datadir"/{update-stamp-*,mysql/stamp-4.1} # used in the past
chown "$mysql_daemon_user:$mysql_daemon_group" "$log_upgrade" chown --no-dereference "$mysql_daemon_user:$mysql_daemon_group" "$log_upgrade"
chmod 640 "$log_upgrade" chmod 640 "$log_upgrade"
fi fi