From cc8871cde2b8cc1326852f8472d0498f95c418a98f95aa01f5f2e931bf35184a Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Tue, 30 May 2017 14:00:01 +0000 Subject: [PATCH] Accepting request 499775 from home:favogt:branches:server:database - Add mariadb-10.1.22-xtradb_null_checks.patch (boo#1041525) (See also https://jira.mariadb.org/browse/MDEV-12358) - switch from '/var/run' to '/run' as /var/run is just a symlink to /run - fix permissions for /var/run/mysql that were wrongly set to 700 instead of 755 due to added umask. This prevented non-root from connecting to the database [bsc#1038740] - change permissions of the configuration dir/files to 755/644. Please note that storing the password in the /etc/my.cnf file is not safe. Use for example an option file that is accessible only by yourself [bsc#889126] - set the default umask to 077 in mysql-systemd-helper [bsc#1020976] OBS-URL: https://build.opensuse.org/request/show/499775 OBS-URL: https://build.opensuse.org/package/show/server:database/mariadb?expand=0&rev=191 --- README.SUSE | 2 +- configuration-tweaks.tar.xz | 4 ++-- mariadb.changes | 15 +++++++++++++++ mariadb.spec | 8 ++++---- my.ini | 11 +++++++---- mysql-patches.tar.xz | 4 ++-- mysql-systemd-helper | 21 +++++++++++++-------- series | 1 + 8 files changed, 45 insertions(+), 21 deletions(-) diff --git a/README.SUSE b/README.SUSE index 6ce1c04..8d7bd45 100644 --- a/README.SUSE +++ b/README.SUSE @@ -35,7 +35,7 @@ made some manual adjustments to your /etc/my.cnf, try to merge this file with File locations changes: - MySQL socket file and pid file were moved from /var/lib/mysql to more - reasonable location ( /var/run/mysql ) by default. + reasonable location ( /run/mysql ) by default. - MySQL log files are in /var/log/mysql. 3) BerkeleyDB: diff --git a/configuration-tweaks.tar.xz b/configuration-tweaks.tar.xz index 45ba28c..0e479ae 100644 --- a/configuration-tweaks.tar.xz +++ b/configuration-tweaks.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:182f496096993eaebf7d94ee7f897c091def2d12f96235b6a8d1b4c65246e7f0 -size 568 +oid sha256:851e21785b81a17512093dbfac98c8d10752bc571e7e57b5b44dc7db0aa6d52a +size 564 diff --git a/mariadb.changes b/mariadb.changes index 10f79f2..6987e32 100644 --- a/mariadb.changes +++ b/mariadb.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Tue May 30 13:12:47 UTC 2017 - fvogt@suse.com + +- Add mariadb-10.1.22-xtradb_null_checks.patch (boo#1041525) + (See also https://jira.mariadb.org/browse/MDEV-12358) +- switch from '/var/run' to '/run' as /var/run is just a symlink to /run +- fix permissions for /var/run/mysql that were wrongly set to + 700 instead of 755 due to added umask. This prevented non-root + from connecting to the database [bsc#1038740] +- change permissions of the configuration dir/files to 755/644. + Please note that storing the password in the /etc/my.cnf file is + not safe. Use for example an option file that is accessible only + by yourself [bsc#889126] +- set the default umask to 077 in mysql-systemd-helper [bsc#1020976] + ------------------------------------------------------------------- Tue Apr 11 13:35:46 UTC 2017 - kstreitova@suse.com diff --git a/mariadb.spec b/mariadb.spec index 7bd442c..4b2cda8 100644 --- a/mariadb.spec +++ b/mariadb.spec @@ -544,7 +544,7 @@ for i in "${DOCS[@]}"; do install -m 644 "${i}" "${DOCDIR}" || true done # Default configuration file -install -m 660 %{SOURCE14} %{buildroot}%{_sysconfdir}/my.cnf +install -m 664 %{SOURCE14} %{buildroot}%{_sysconfdir}/my.cnf # Systemd/initscript install -D -m 755 %{_sourcedir}/mysql-systemd-helper '%{buildroot}'%{_libexecdir}/mysql/mysql-systemd-helper @@ -744,9 +744,9 @@ rm -f %{_localstatedir}/adm/update-messages/%{name}-%{version}-%{release} %files -f mysql.files %defattr(-, root, root) -%config(noreplace) %attr(0640, root, mysql) %{_sysconfdir}/my.cnf -%dir %attr(0750, root, mysql) %{_sysconfdir}/my.cnf.d -%config(noreplace) %attr(0640, root, mysql) %{_sysconfdir}/my.cnf.d/* +%config(noreplace) %attr(0644, root, mysql) %{_sysconfdir}/my.cnf +%dir %attr(0755, root, mysql) %{_sysconfdir}/my.cnf.d +%config(noreplace) %attr(0644, root, mysql) %{_sysconfdir}/my.cnf.d/* %config %{_sysconfdir}/logrotate.d/%{name} %doc %{_defaultdocdir}/%{name} %dir %{_libexecdir}/mysql diff --git a/my.ini b/my.ini index 634bada..19a87bf 100644 --- a/my.ini +++ b/my.ini @@ -2,11 +2,14 @@ # It is based on upstream defaults with some additional examples. -# The following options will be passed to all MariaDB clients +# The following options will be passed to all MySQL/MariaDB clients [client] -# password = your_password +# Please note that storing the password in this file is not safe. For this +# purpose you can, for example, list your password in the [client] section +# of the '~/.my.cnf' configuration file with an access mode set to 400 or 600. +# password = your_password # port = 3306 -# socket = /var/run/mysql/mysql.sock +# socket = /run/mysql/mysql.sock [mysqld] @@ -38,7 +41,7 @@ server-id = 1 # These are commonly set, remove the # and set as required. # port = 3306 -# socket = /var/run/mysql/mysql.sock +# socket = /run/mysql/mysql.sock # Don't listen on a TCP/IP port at all. This can be a security enhancement, # if all processes that need to connect to mysqld run on the same host. diff --git a/mysql-patches.tar.xz b/mysql-patches.tar.xz index af0e945..1a5ef8e 100644 --- a/mysql-patches.tar.xz +++ b/mysql-patches.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:0019be3884b882b55fedae019233490e90c51f6906f1d8181b55ed43d46bad51 -size 11952 +oid sha256:cc0841d11b85109131ed973648058f6a254224c0aa4b06f61a475cb226719d7b +size 12112 diff --git a/mysql-systemd-helper b/mysql-systemd-helper index 80aa2ce..c2b1f72 100644 --- a/mysql-systemd-helper +++ b/mysql-systemd-helper @@ -12,10 +12,10 @@ read_config() { mysql_daemon_group=mysql if [[ -z "$INSTANCE" ]]; then datadir=/var/lib/mysql - socket="/var/run/mysql/mysql.sock" + socket="/run/mysql/mysql.sock" else datadir="/var/lib/mysql-$INSTANCE" - socket="/var/run/mysql/mysql.${INSTANCE}.sock" + socket="/run/mysql/mysql.${INSTANCE}.sock" fi # Read options - important for multi setup @@ -75,7 +75,7 @@ mysql_upgrade() { echo "Trying to run upgrade of MySQL databases..." # Check whether upgrade process is not already running - protected="$(cat "/var/run/mysql/protecteddir.$INSTANCE" 2> /dev/null)" + protected="$(cat "/run/mysql/protecteddir.$INSTANCE" 2> /dev/null)" if [[ -n "$protected" && -d "$protected" ]]; then pid="$(cat "$protected/mysqld.pid" 2> /dev/null)" if [[ "$pid" && -d "/proc/$pid" ]] && @@ -84,10 +84,10 @@ mysql_upgrade() { else echo "Stale files from previous upgrade detected, cleaned them up" rm -rf "$protected" - rm -f "/var/run/mysql/protecteddir.$INSTANCE" + rm -f "/run/mysql/protecteddir.$INSTANCE" fi fi - protected="$(mktemp -d -p /var/tmp mysql-protected.XXXXXX | tee "/var/run/mysql/protecteddir.$INSTANCE")" + protected="$(mktemp -d -p /var/tmp mysql-protected.XXXXXX | tee "/run/mysql/protecteddir.$INSTANCE")" [ -n "$protected" ] || die "Can't create a tmp dir '$protected'" # Create a secure tmp dir @@ -134,7 +134,7 @@ mysql_upgrade() { # Cleanup echo "Final cleanup" if [[ -z "$up_ok" ]]; then - rm -rf "$protected" "/var/run/mysql/protecteddir.$INSTANCE" + rm -rf "$protected" "/run/mysql/protecteddir.$INSTANCE" else die "Something failed during upgrade, please check logs" fi @@ -167,10 +167,15 @@ mysql_start() { # We rely on output in english at some points LC_ALL=C +# set the default umask bsc#1020976 +umask 077 + INSTANCE="$2" read_config -mkdir -p /var/run/mysql -chown --no-dereference "$mysql_daemon_user:$mysql_daemon_group" /var/run/mysql +mkdir -p /run/mysql +# fix permissions for /run/mysql (bsc#1038740) +chmod 755 /run/mysql +chown --no-dereference "$mysql_daemon_user:$mysql_daemon_group" /run/mysql case "$1" in install) mysql_install ;; diff --git a/series b/series index d4dbee5..86a7b52 100644 --- a/series +++ b/series @@ -10,3 +10,4 @@ mariadb-10.0.15-logrotate-su.patch mariadb-10.1.12-fortify-and-O.patch mariadb-10.1.16-systemd-cmake.patch mariadb-10.1.18-mysql_install_db-mariadb_dirs.patch +mariadb-10.1.22-xtradb_null_checks.patch