Accepting request 499775 from home:favogt:branches:server:database

- Add mariadb-10.1.22-xtradb_null_checks.patch (boo#1041525) (See also https://jira.mariadb.org/browse/MDEV-12358) - switch from '/var/run' to '/run' as /var/run is just a symlink to /run - fix permissions for /var/run/mysql that were wrongly set to 700 instead of 755 due to added umask. This prevented non-root from connecting to the database [bsc#1038740] - change permissions of the configuration dir/files to 755/644. Please note that storing the password in the /etc/my.cnf file is not safe. Use for example an option file that is accessible only by yourself [bsc#889126] - set the default umask to 077 in mysql-systemd-helper [bsc#1020976] OBS-URL: https://build.opensuse.org/request/show/499775 OBS-URL: https://build.opensuse.org/package/show/server:database/mariadb?expand=0&rev=191
2017-05-30 14:00:01 +00:00 · 2017-05-30 14:00:01 +00:00 · cc8871cde2
commit cc8871cde2
parent 407577a0ad
8 changed files with 45 additions and 21 deletions
--- a/README.SUSE
+++ b/README.SUSE
@ -35,7 +35,7 @@ made some manual adjustments to your /etc/my.cnf, try to merge this file with

 File locations changes:
 - MySQL socket file and pid file were moved from /var/lib/mysql to more
-   reasonable location ( /var/run/mysql ) by default.
+   reasonable location ( /run/mysql ) by default.
 - MySQL log files are in /var/log/mysql.

 3) BerkeleyDB:
--- a/configuration-tweaks.tar.xz
+++ b/configuration-tweaks.tar.xz
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:182f496096993eaebf7d94ee7f897c091def2d12f96235b6a8d1b4c65246e7f0
-size 568
+oid sha256:851e21785b81a17512093dbfac98c8d10752bc571e7e57b5b44dc7db0aa6d52a
+size 564
--- a/mariadb.changes
+++ b/mariadb.changes
@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Tue May 30 13:12:47 UTC 2017 - fvogt@suse.com
+
+- Add mariadb-10.1.22-xtradb_null_checks.patch (boo#1041525)
+  (See also https://jira.mariadb.org/browse/MDEV-12358)
+- switch from '/var/run' to '/run' as /var/run is just a symlink to /run
+- fix permissions for /var/run/mysql that were wrongly set to
+  700 instead of 755 due to added umask. This prevented non-root
+  from connecting to the database [bsc#1038740]
+- change permissions of the configuration dir/files to 755/644.
+  Please note that storing the password in the /etc/my.cnf file is
+  not safe. Use for example an option file that is accessible only
+  by yourself [bsc#889126]
+- set the default umask to 077 in mysql-systemd-helper [bsc#1020976]
+
 -------------------------------------------------------------------
 Tue Apr 11 13:35:46 UTC 2017 - kstreitova@suse.com

--- a/mariadb.spec
+++ b/mariadb.spec
@ -544,7 +544,7 @@ for i in "${DOCS[@]}"; do
 	install -m 644 "${i}" "${DOCDIR}" || true
 done
 # Default configuration file
-install -m 660 %{SOURCE14} %{buildroot}%{_sysconfdir}/my.cnf
+install -m 664 %{SOURCE14} %{buildroot}%{_sysconfdir}/my.cnf

 # Systemd/initscript
 install -D -m 755 %{_sourcedir}/mysql-systemd-helper '%{buildroot}'%{_libexecdir}/mysql/mysql-systemd-helper
@ -744,9 +744,9 @@ rm -f %{_localstatedir}/adm/update-messages/%{name}-%{version}-%{release}

 %files -f mysql.files
 %defattr(-, root, root)
-%config(noreplace) %attr(0640, root, mysql) %{_sysconfdir}/my.cnf
-%dir %attr(0750, root, mysql) %{_sysconfdir}/my.cnf.d
-%config(noreplace) %attr(0640, root, mysql) %{_sysconfdir}/my.cnf.d/*
+%config(noreplace) %attr(0644, root, mysql) %{_sysconfdir}/my.cnf
+%dir %attr(0755, root, mysql) %{_sysconfdir}/my.cnf.d
+%config(noreplace) %attr(0644, root, mysql) %{_sysconfdir}/my.cnf.d/*
 %config %{_sysconfdir}/logrotate.d/%{name}
 %doc %{_defaultdocdir}/%{name}
 %dir %{_libexecdir}/mysql
--- a/my.ini
+++ b/my.ini
@ -2,11 +2,14 @@
 # It is based on upstream defaults with some additional examples.


-# The following options will be passed to all MariaDB clients
+# The following options will be passed to all MySQL/MariaDB clients
 [client]
-# password  = your_password
+# Please note that storing the password in this file is not safe. For this
+# purpose you can, for example, list your password in the [client] section
+# of the '~/.my.cnf' configuration file with an access mode set to 400 or 600.
+# password   = your_password
 # port       = 3306
-# socket     = /var/run/mysql/mysql.sock
+# socket     = /run/mysql/mysql.sock

 [mysqld]

@ -38,7 +41,7 @@ server-id	= 1

 # These are commonly set, remove the # and set as required.
 # port = 3306
-# socket = /var/run/mysql/mysql.sock
+# socket = /run/mysql/mysql.sock

 # Don't listen on a TCP/IP port at all. This can be a security enhancement,
 # if all processes that need to connect to mysqld run on the same host.
--- a/mysql-patches.tar.xz
+++ b/mysql-patches.tar.xz
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:0019be3884b882b55fedae019233490e90c51f6906f1d8181b55ed43d46bad51
-size 11952
+oid sha256:cc0841d11b85109131ed973648058f6a254224c0aa4b06f61a475cb226719d7b
+size 12112
--- a/21
+++ b/21
@ -12,10 +12,10 @@ read_config() {
 	mysql_daemon_group=mysql
 	if [[ -z "$INSTANCE" ]]; then
 		datadir=/var/lib/mysql
-		socket="/var/run/mysql/mysql.sock"
+		socket="/run/mysql/mysql.sock"
 	else
 		datadir="/var/lib/mysql-$INSTANCE"
-		socket="/var/run/mysql/mysql.${INSTANCE}.sock"
+		socket="/run/mysql/mysql.${INSTANCE}.sock"
 	fi

 	# Read options - important for multi setup
@ -75,7 +75,7 @@ mysql_upgrade() {
 		echo "Trying to run upgrade of MySQL databases..."

 		# Check whether upgrade process is not already running
-		protected="$(cat "/var/run/mysql/protecteddir.$INSTANCE" 2> /dev/null)"
+		protected="$(cat "/run/mysql/protecteddir.$INSTANCE" 2> /dev/null)"
 		if [[ -n "$protected" && -d "$protected" ]]; then
 			pid="$(cat "$protected/mysqld.pid" 2> /dev/null)"
 			if [[ "$pid" && -d "/proc/$pid" ]] &&
@ -84,10 +84,10 @@ mysql_upgrade() {
 			else
 				echo "Stale files from previous upgrade detected, cleaned them up"
 				rm -rf "$protected"
-				rm -f "/var/run/mysql/protecteddir.$INSTANCE"
+				rm -f "/run/mysql/protecteddir.$INSTANCE"
 			fi
 		fi
-		protected="$(mktemp -d -p /var/tmp mysql-protected.XXXXXX | tee "/var/run/mysql/protecteddir.$INSTANCE")"
+		protected="$(mktemp -d -p /var/tmp mysql-protected.XXXXXX | tee "/run/mysql/protecteddir.$INSTANCE")"
 		[ -n "$protected" ] || die "Can't create a tmp dir '$protected'"

 		# Create a secure tmp dir
@ -134,7 +134,7 @@ mysql_upgrade() {
 		# Cleanup
 		echo "Final cleanup"
 		if [[ -z "$up_ok" ]]; then
-			rm -rf "$protected" "/var/run/mysql/protecteddir.$INSTANCE"
+			rm -rf "$protected" "/run/mysql/protecteddir.$INSTANCE"
 		else 
 			die "Something failed during upgrade, please check logs"
 		fi
@ -167,10 +167,15 @@ mysql_start() {
 # We rely on output in english at some points
 LC_ALL=C

+# set the default umask bsc#1020976
+umask 077
+
 INSTANCE="$2"
 read_config
-mkdir -p /var/run/mysql
-chown --no-dereference "$mysql_daemon_user:$mysql_daemon_group" /var/run/mysql
+mkdir -p /run/mysql
+# fix permissions for /run/mysql (bsc#1038740)
+chmod 755 /run/mysql
+chown --no-dereference "$mysql_daemon_user:$mysql_daemon_group" /run/mysql
 case "$1" in
 	install)
 		mysql_install ;;
--- a/1
+++ b/1
@ -10,3 +10,4 @@ mariadb-10.0.15-logrotate-su.patch
 mariadb-10.1.12-fortify-and-O.patch
 mariadb-10.1.16-systemd-cmake.patch
 mariadb-10.1.18-mysql_install_db-mariadb_dirs.patch
+mariadb-10.1.22-xtradb_null_checks.patch