[Bug 375371] Re: MySQL must not use /tmp
Jamie Strandboge
jamie at ubuntu.com
Wed Sep 15 18:15:05 BST 2010
I'm slightly confused. These build tests are using an installed, live
mysql server and create temporary files somewhere in such a way that
mysqld needs to read them?
If that is the case, then maybe we could add to the mysqld profile something like:
owner /var/tmp/mysql/** rwkl,
owner /var/tmp/mysql/* rw,
/var/tmp/mysql-buildtests/** r,
/var/tmp/mysql-buildtests/ r,
Then do:
# mkdir -m 0770 /var/tmp/mysql
# chown mysql:mysql
# mkdir -m 1113 /var/tmp/mysql-buildtests
# chown mysql:mysql /var/tmp/mysql-buildtests
This should allow any user to write to anything in /var/tmp/mysql-
buildtests, after which testsuites can invoke mysqld with the proper
arguments for tmpdir being /var/tmp/mysql and reading specific files in
/var/tmp/mysql-buildtests. The idea is that under normal circumstances,
mysqld would ignore /var/tmp/mysql-buildtests/, but in the face of an
attack both DAC and AppArmor prevent writing to /var/tmp/mysql-
buildtests. We use the weird '1113' permissions on /var/tmp/mysql-
buildtests to create a sticky directory to allow 'other' to create files
in the directory, but mysql can only read from this directory. DAC
prevents regular users from reading /var/tmp/mysql. This should mitigate
bug #578922 while allowing for test suites to run.
It would be great if others could review my suggestion.
--
MySQL must not use /tmp
https://bugs.launchpad.net/bugs/375371
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu.
More information about the Ubuntu-server-bugs
mailing list