[arch-general] FS#10058 - mysqld rc script creates insecure dummy log
Loui Chang
louipc.ist at gmail.com
Wed Nov 5 18:03:10 EST 2008
I fixed this for myself and posted this report long ago but it kind of
bugs me that this is still in the wild so I want to bring this to the
attention of the mailing list readers.
http://bugs.archlinux.org/task/10058
The mysqld startup script touches the default mysqld.log location but
doesn't do anything to secure it from reading by non privileged users.
Databases can have sensitive information so should not be globally
readable.
mysqld_safe seems to take care of log creation and security itself when
a log file is specified in my.cnf and it has write permission to the
directory containing the logs.
(personally I just create /var/log/mysql/ and gave it user:group of
mysql:mysql)
Furthermore the startup script assumes too much (location of log file),
which may be incorrect depending on my.cnf
Let the admin take care of things him/herself.
Patch attached.
It would be handy though for a novice user to be able to enable secure
logging (with logrotate) by just uncommenting a config option in my.cnf
Get rid of /var/log/mysqld.log creation
diff --git a/rc.d/mysqld b/rc.d/mysqld
index 0fcecf7..843397e 100755
--- a/rc.d/mysqld
+++ b/rc.d/mysqld
@@ -27,11 +27,6 @@ if [ ! -d $MYSQLD_ROOT ]; then
chown -R mysql.mysql $MYSQLD_ROOT
fi
-if [ ! -e /var/log/mysqld.log ]; then
- touch /var/log/mysqld.log
- chown mysql /var/log/mysqld.log
-fi
-
case "$1" in
start)
stat_busy "Starting MySQL"
More information about the arch-general
mailing list