summarylogtreecommitdiffstats
path: root/0005-fix-galera_recovery-with-fs.protected_regular-enabled.patch
blob: f3de571d86a90aa17129c201239e123eb71905e6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
From 5936f0be4a49eda7b05ea1591bbbba3d72e4d7b9 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Fri, 25 Jan 2019 14:50:53 +0100
Subject: fix galera_recovery with fs.protected_regular enabled

The fs.protected_regular sysctls was added in Linux 4.19 to make some
data spoofing attacks harder. With systemd v241 these will be enabled
by default.

With this protection enabled galera_recovery fails with EPERM
(permission denied). This is caused by a wrong security measure:
The script changes ownership of $log_file to $user, though $user never
touches it. The shell redirection writes output to the file, not mysqld.
So just drop chown to fix this.
---
 scripts/galera_recovery.sh | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/scripts/galera_recovery.sh b/scripts/galera_recovery.sh
index c58f3d8f6b9..c70decc0005 100644
--- a/scripts/galera_recovery.sh
+++ b/scripts/galera_recovery.sh
@@ -101,8 +101,7 @@ wsrep_recover_position() {
 
 # Safety checks
 if [ -n "$log_file" -a -f "$log_file" ]; then
-  [ "$euid" = "0" ] && chown $user $log_file
-      chmod 600 $log_file
+  chmod 600 $log_file
 else
   log "WSREP: mktemp failed"
 fi