summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTerje Rosten <terje.rosten@oracle.com>2016-08-12 12:38:20 +0200
committerTerje Rosten <terje.rosten@oracle.com>2016-08-18 12:19:15 +0200
commit8b1f4d84cafe393e92f942278f9f020a62ceb5b9 (patch)
treef8165953bb4a392b6ce368da8090a27e0a95a432
parent04bad164e7d4bad2b2ed63485ea6361029392d68 (diff)
downloadmariadb-git-8b1f4d84cafe393e92f942278f9f020a62ceb5b9.tar.gz
Bug#24464380 PRIVILEGE ESCALATION USING MYSQLD_SAFE
Argument to malloc-lib must be included in restricted list of directories, symlink guards added, and mysqld and mysqld-version options restricted to command line only. Don't redirect errors to stderr.
-rw-r--r--packaging/rpm-oel/mysql.init2
-rw-r--r--packaging/rpm-sles/mysql.init2
-rw-r--r--scripts/mysqld_safe.sh79
-rw-r--r--support-files/mysql.server.sh2
4 files changed, 50 insertions, 35 deletions
diff --git a/packaging/rpm-oel/mysql.init b/packaging/rpm-oel/mysql.init
index 262d0582f68..aaea498d153 100644
--- a/packaging/rpm-oel/mysql.init
+++ b/packaging/rpm-oel/mysql.init
@@ -102,7 +102,7 @@ start(){
# alarms, per bug #547485
$exec --datadir="$datadir" --socket="$socketfile" \
--pid-file="$mypidfile" \
- --basedir=/usr --user=mysql >/dev/null 2>&1 &
+ --basedir=/usr --user=mysql >/dev/null &
safe_pid=$!
# Spin for a maximum of N seconds waiting for the server to come up;
# exit the loop immediately if mysqld_safe process disappears.
diff --git a/packaging/rpm-sles/mysql.init b/packaging/rpm-sles/mysql.init
index 50ca4c9033c..dda0bebba56 100644
--- a/packaging/rpm-sles/mysql.init
+++ b/packaging/rpm-sles/mysql.init
@@ -137,7 +137,7 @@ start () {
rc_failed 6 ; rc_status -v ; rc_exit
fi
- $PROG --basedir=/usr --datadir="$datadir" --pid-file="$pidfile" >/dev/null 2>&1 &
+ $PROG --basedir=/usr --datadir="$datadir" --pid-file="$pidfile" >/dev/null &
if pinger $! ; then
echo -n "Starting service MySQL:"
touch $lockfile
diff --git a/scripts/mysqld_safe.sh b/scripts/mysqld_safe.sh
index f705953059e..11b692ec928 100644
--- a/scripts/mysqld_safe.sh
+++ b/scripts/mysqld_safe.sh
@@ -208,8 +208,17 @@ parse_arguments() {
--core-file-size=*) core_file_size="$val" ;;
--ledir=*) ledir="$val" ;;
--malloc-lib=*) set_malloc_lib "$val" ;;
- --mysqld=*) MYSQLD="$val" ;;
+ --mysqld=*)
+ if [ -z "$pick_args" ]; then
+ log_error "--mysqld option can only be used as command line option, found in config file"
+ exit 1
+ fi
+ MYSQLD="$val" ;;
--mysqld-version=*)
+ if [ -z "$pick_args" ]; then
+ log_error "--mysqld-version option can only be used as command line option, found in config file"
+ exit 1
+ fi
if test -n "$val"
then
MYSQLD="mysqld-$val"
@@ -297,38 +306,22 @@ mysqld_ld_preload_text() {
echo "$text"
}
-
-mysql_config=
-get_mysql_config() {
- if [ -z "$mysql_config" ]; then
- mysql_config=`echo "$0" | sed 's,/[^/][^/]*$,/mysql_config,'`
- if [ ! -x "$mysql_config" ]; then
- log_error "Can not run mysql_config $@ from '$mysql_config'"
- exit 1
- fi
- fi
-
- "$mysql_config" "$@"
-}
-
-
# set_malloc_lib LIB
# - If LIB is empty, do nothing and return
-# - If LIB is 'tcmalloc', look for tcmalloc shared library in /usr/lib
-# then pkglibdir. tcmalloc is part of the Google perftools project.
+# - If LIB is 'tcmalloc', look for tcmalloc shared library in $malloc_dirs.
+# tcmalloc is part of the Google perftools project.
# - If LIB is an absolute path, assume it is a malloc shared library
#
# Put LIB in mysqld_ld_preload, which will be added to LD_PRELOAD when
# running mysqld. See ld.so for details.
set_malloc_lib() {
+ # This list is kept intentionally simple.
+ malloc_dirs="/usr/lib /usr/lib64 /usr/lib/i386-linux-gnu /usr/lib/x86_64-linux-gnu"
malloc_lib="$1"
if [ "$malloc_lib" = tcmalloc ]; then
- pkglibdir=`get_mysql_config --variable=pkglibdir`
malloc_lib=
- # This list is kept intentionally simple. Simply set --malloc-lib
- # to a full path if another location is desired.
- for libdir in /usr/lib "$pkglibdir" "$pkglibdir/mysql"; do
+ for libdir in $(echo $malloc_dirs); do
for flavor in _minimal '' _and_profiler _debug; do
tmp="$libdir/libtcmalloc$flavor.so"
#log_notice "DEBUG: Checking for malloc lib '$tmp'"
@@ -339,7 +332,7 @@ set_malloc_lib() {
done
if [ -z "$malloc_lib" ]; then
- log_error "no shared library for --malloc-lib=tcmalloc found in /usr/lib or $pkglibdir"
+ log_error "no shared library for --malloc-lib=tcmalloc found in $malloc_dirs"
exit 1
fi
fi
@@ -350,9 +343,21 @@ set_malloc_lib() {
case "$malloc_lib" in
/*)
if [ ! -r "$malloc_lib" ]; then
- log_error "--malloc-lib '$malloc_lib' can not be read and will not be used"
+ log_error "--malloc-lib can not be read and will not be used"
exit 1
fi
+
+ # Restrict to a the list in $malloc_dirs above
+ case "$(dirname "$malloc_lib")" in
+ /usr/lib) ;;
+ /usr/lib64) ;;
+ /usr/lib/i386-linux-gnu) ;;
+ /usr/lib/x86_64-linux-gnu) ;;
+ *)
+ log_error "--malloc-lib must be located in one of the directories: $malloc_dirs"
+ exit 1
+ ;;
+ esac
;;
*)
log_error "--malloc-lib must be an absolute path or 'tcmalloc'; " \
@@ -569,7 +574,7 @@ then
log_notice "Logging to '$err_log'."
logging=file
- if [ ! -f "$err_log" ]; then # if error log already exists,
+ if [ ! -f "$err_log" -a ! -h "$err_log" ]; then # if error log already exists,
touch "$err_log" # we just append. otherwise,
chmod "$fmode" "$err_log" # fix the permissions here!
fi
@@ -594,7 +599,7 @@ then
USER_OPTION="--user=$user"
fi
# Change the err log to the right user, if it is in use
- if [ $want_syslog -eq 0 ]; then
+ if [ $want_syslog -eq 0 -a ! -h "$err_log" ]; then
touch "$err_log"
chown $user "$err_log"
fi
@@ -614,9 +619,11 @@ safe_mysql_unix_port=${mysql_unix_port:-${MYSQL_UNIX_PORT:-@MYSQL_UNIX_ADDR@}}
mysql_unix_port_dir=`dirname $safe_mysql_unix_port`
if [ ! -d $mysql_unix_port_dir ]
then
- mkdir $mysql_unix_port_dir
- chown $user $mysql_unix_port_dir
- chmod 755 $mysql_unix_port_dir
+ if [ ! -h $mysql_unix_port_dir ]; then
+ mkdir $mysql_unix_port_dir
+ chown $user $mysql_unix_port_dir
+ chmod 755 $mysql_unix_port_dir
+ fi
fi
# If the user doesn't specify a binary, we assume name "mysqld"
@@ -728,7 +735,9 @@ then
exit 1
fi
fi
- rm -f "$pid_file"
+ if [ ! -h "$pid_file" ]; then
+ rm -f "$pid_file"
+ fi
if test -f "$pid_file"
then
log_error "Fatal error: Can't remove the pid file:
@@ -779,13 +788,19 @@ have_sleep=1
while true
do
- rm -f $safe_mysql_unix_port "$pid_file" # Some extra safety
+ # Some extra safety
+ if [ ! -h "$safe_mysql_unix_port" ]; then
+ rm -f "$safe_mysql_unix_port"
+ fi
+ if [ ! -h "$pid_file" ]; then
+ rm -f "$pid_file"
+ fi
start_time=`date +%M%S`
eval_log_error "$cmd"
- if [ $want_syslog -eq 0 -a ! -f "$err_log" ]; then
+ if [ $want_syslog -eq 0 -a ! -f "$err_log" -a ! -h "$err_log" ]; then
touch "$err_log" # hypothetical: log was renamed but not
chown $user "$err_log" # flushed yet. we'd recreate it with
chmod "$fmode" "$err_log" # wrong owner next time we log, so set
diff --git a/support-files/mysql.server.sh b/support-files/mysql.server.sh
index 7487d5acc0f..909d33f8770 100644
--- a/support-files/mysql.server.sh
+++ b/support-files/mysql.server.sh
@@ -280,7 +280,7 @@ case "$mode" in
then
# Give extra arguments to mysqld with the my.cnf file. This script
# may be overwritten at next upgrade.
- $bindir/mysqld_safe --datadir="$datadir" --pid-file="$mysqld_pid_file_path" $other_args >/dev/null 2>&1 &
+ $bindir/mysqld_safe --datadir="$datadir" --pid-file="$mysqld_pid_file_path" $other_args >/dev/null &
wait_for_pid created "$!" "$mysqld_pid_file_path"; return_value=$?
# Make lock for RedHat / SuSE