summarylogtreecommitdiffstats
path: root/0005-fix-galera_recovery-with-fs.protected_regular-enabled.patch
diff options
context:
space:
mode:
Diffstat (limited to '0005-fix-galera_recovery-with-fs.protected_regular-enabled.patch')
-rw-r--r--0005-fix-galera_recovery-with-fs.protected_regular-enabled.patch32
1 files changed, 32 insertions, 0 deletions
diff --git a/0005-fix-galera_recovery-with-fs.protected_regular-enabled.patch b/0005-fix-galera_recovery-with-fs.protected_regular-enabled.patch
new file mode 100644
index 00000000000..f3de571d86a
--- /dev/null
+++ b/0005-fix-galera_recovery-with-fs.protected_regular-enabled.patch
@@ -0,0 +1,32 @@
+From 5936f0be4a49eda7b05ea1591bbbba3d72e4d7b9 Mon Sep 17 00:00:00 2001
+From: Christian Hesse <mail@eworm.de>
+Date: Fri, 25 Jan 2019 14:50:53 +0100
+Subject: fix galera_recovery with fs.protected_regular enabled
+
+The fs.protected_regular sysctls was added in Linux 4.19 to make some
+data spoofing attacks harder. With systemd v241 these will be enabled
+by default.
+
+With this protection enabled galera_recovery fails with EPERM
+(permission denied). This is caused by a wrong security measure:
+The script changes ownership of $log_file to $user, though $user never
+touches it. The shell redirection writes output to the file, not mysqld.
+So just drop chown to fix this.
+---
+ scripts/galera_recovery.sh | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/scripts/galera_recovery.sh b/scripts/galera_recovery.sh
+index c58f3d8f6b9..c70decc0005 100644
+--- a/scripts/galera_recovery.sh
++++ b/scripts/galera_recovery.sh
+@@ -101,8 +101,7 @@ wsrep_recover_position() {
+
+ # Safety checks
+ if [ -n "$log_file" -a -f "$log_file" ]; then
+- [ "$euid" = "0" ] && chown $user $log_file
+- chmod 600 $log_file
++ chmod 600 $log_file
+ else
+ log "WSREP: mktemp failed"
+ fi