diff options
Diffstat (limited to '0005-fix-galera_recovery-with-fs.protected_regular-enabled.patch')
-rw-r--r-- | 0005-fix-galera_recovery-with-fs.protected_regular-enabled.patch | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/0005-fix-galera_recovery-with-fs.protected_regular-enabled.patch b/0005-fix-galera_recovery-with-fs.protected_regular-enabled.patch new file mode 100644 index 000000000000..f3de571d86a9 --- /dev/null +++ b/0005-fix-galera_recovery-with-fs.protected_regular-enabled.patch @@ -0,0 +1,32 @@ +From 5936f0be4a49eda7b05ea1591bbbba3d72e4d7b9 Mon Sep 17 00:00:00 2001 +From: Christian Hesse <mail@eworm.de> +Date: Fri, 25 Jan 2019 14:50:53 +0100 +Subject: fix galera_recovery with fs.protected_regular enabled + +The fs.protected_regular sysctls was added in Linux 4.19 to make some +data spoofing attacks harder. With systemd v241 these will be enabled +by default. + +With this protection enabled galera_recovery fails with EPERM +(permission denied). This is caused by a wrong security measure: +The script changes ownership of $log_file to $user, though $user never +touches it. The shell redirection writes output to the file, not mysqld. +So just drop chown to fix this. +--- + scripts/galera_recovery.sh | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/scripts/galera_recovery.sh b/scripts/galera_recovery.sh +index c58f3d8f6b9..c70decc0005 100644 +--- a/scripts/galera_recovery.sh ++++ b/scripts/galera_recovery.sh +@@ -101,8 +101,7 @@ wsrep_recover_position() { + + # Safety checks + if [ -n "$log_file" -a -f "$log_file" ]; then +- [ "$euid" = "0" ] && chown $user $log_file +- chmod 600 $log_file ++ chmod 600 $log_file + else + log "WSREP: mktemp failed" + fi |