Web lists-archives.com

Re: Update to Percona CVE-2016-6662 Vulnerability Communication






Am 16.09.2016 um 00:05 schrieb Johan De Meersman:
This is probably of interest to many of you, and I've not seen it on the list yet.

Kenny Gryp's blog about the vulnerability is at https://www.percona.com/blog/2016/09/12/database-affected-cve-2016-6662/ .

For those who use it, there's an ansible playbook to patch the workaround into mysqld_safe at https://github.com/meersjo/ansible-mysql-cve-2016-6662 .

frankly - mysqld_safe needs to go away and life is beautiful without for years here and yes taht worked for mysql too before switch to MariaDB

to say it clear: running *any* code as root for a service binding to a port above 1024 is idiotic by definition
_______________________________________________________________________

[root@srv-rhsoft:~]$ cat /usr/lib/systemd/system/mysqld.service
[Unit]
Description=MariaDB Database

[Service]
Type=simple
User=mysql
Group=mysql
ExecStart=/usr/libexec/mysqld --defaults-file=/etc/my.cnf --pid-file=/dev/null
ExecStartPost=/usr/libexec/mysqld-wait-ready $MAINPID
Environment="LANG=en_GB.UTF-8"
Restart=always
RestartSec=1
TimeoutSec=300
LimitNOFILE=infinity
LimitMEMLOCK=infinity
OOMScoreAdjust=-1000
TasksMax=2048

PrivateTmp=yes
PrivateDevices=yes
NoNewPrivileges=yes
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_WRITE CAP_DAC_OVERRIDE CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE CAP_SYS_PTRACE SystemCallFilter=~acct modify_ldt add_key adjtimex clock_adjtime delete_module fanotify_init finit_module get_mempolicy init_module kcmp kexec_load keyctl lookup_dcookie mbind mount open_by_handle_at perf_event_open pivot_root process_vm_readv process_vm_writev ptrace request_key set_mempolicy swapoff swapon umount2 uselib vmsplice
RestrictAddressFamilies=AF_UNIX AF_LOCAL AF_INET AF_INET6
SystemCallArchitectures=x86-64

ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
ReadOnlyDirectories=/var/lib
ReadWriteDirectories=/var/lib/mysql

InaccessibleDirectories=-/boot
InaccessibleDirectories=-/home
InaccessibleDirectories=-/root
InaccessibleDirectories=-/media
InaccessibleDirectories=-/run/user

[Install]
WantedBy=multi-user.target
_______________________________________________________________________

[root@srv-rhsoft:~]$ cat /usr/libexec/mysqld-wait-ready
#!/usr/bin/bash

# Service file passes us the daemon's PID
daemon_pid="$1"

# Wait for the server to come up or for the mysqld process to disappear
ret=0
while /usr/bin/true; do
RESPONSE=`/usr/bin/mysqladmin --defaults-file=/etc/my.cnf --socket=/var/lib/mysql/mysql.sock --user=UNKNOWN_MYSQL_USER ping 2>&1`
 mret=$?
 if [ $mret -eq 0 ]; then
  break
 fi
 # exit codes 1, 11 (EXIT_CANNOT_CONNECT_TO_SERVICE) are expected,
 # anything else suggests a configuration error
 if [ $mret -ne 1 -a $mret -ne 11 ]; then
  ret=1
  break
 fi
 # "Access denied" also means the server is alive
 echo "$RESPONSE" | grep -q "Access denied for user" && break

 # Check process still exists
 if ! /usr/bin/kill -0 $daemon_pid 2>/dev/null; then
  ret=1
  break
 fi
 usleep 100000
done

exit $ret

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:    http://lists.mysql.com/mysql