List:General Discussion« Previous MessageNext Message »
From:Mikael Willberg Date:March 14 1999 10:22pm
Subject:Re: File access problem
View as plain text  
On Sun, 14 Mar 1999, Michael Widenius wrote:

> >>>>> "tymiwi" == tymiwi  <tymiwi@stripped> writes:
> 
> >> Description:
> tymiwi> Directory layout and permissions on my test system are:
> 
> tymiwi> # mysql home
> tymiwi> drwxr-x---  12 root     sql          1024 Mar 14 06:18 /home/sql/
> 
> tymiwi> # the storage for databasese
> tymiwi> drwxr-x---   4 sql      sql          1024 Mar 14 08:28 /home/sql/var/
> 
> tymiwi> # all other directories are like this one
> tymiwi> drwxr-xr-x   3 root     root         1024 Mar 14 06:14 share
> 
> tymiwi> When the server is started with parameter "--user=sql" the following
> tymiwi> error appears in error log:
> 
> tymiwi> 990314 8:23:48 /data/home/sql/libexec/mysqld: Can't create/write to
> tymiwi> file '/home/sql/var/mysqld.pid' (Errcode: 13)
> 
> tymiwi> My wild guess is that there are some private access checks in your
> tymiwi> code which do not work properly (I didn't understand anything from
> tymiwi> your source code after being at Finnish USENET meeting and having a
> tymiwi> few drinks 8-)
> 
> 
> tymiwi> Oh yes, if the server is started from root account it is possible to
> tymiwi> change the uid but the process still has priviledged group access
> tymiwi> rights. At least I didn't find a way to change the gid. That would be
> tymiwi> a good feature to add !
> 
> >> How-To-Repeat:
> 
> tymiwi> See above.
> 
> >> Fix:
> 
> tymiwi> Before you say that the permissions are set up weirdly/wrong by me I
> tymiwi> must stress that this problem does NOT occur if I start the server
> tymiwi> with command:
> 
> tymiwi> su sql -c "/home/sql/bin/safe_mysqld --user=sql \
> tymiwi> --pid-file=/home/sql/var/mysqld.pid"
> 
> tymiwi> This is also the quickest way to fix the problem in mysql.server
> tymiwi> script...
> 
> <cut>
> 
> Hi!
> 
> If you are not running MySQL as root, you should do:
> 
> chown -R sql /home/sql/
> 
> and everything should work nicely

Yes, but that's a thing I do not want to do. After starting the server
it should need ONLY access to the database directory (read/write) and
nowhere else (call my paranoid if you want to 8-) This is also stated
in your documentation :

------------------------------------------------------------------------
...

Check that the user that mysqld runs as is the only unix user with
read/write privileges in the database directories. 

...

2. Change the database directories and files so that user_name has
   privileges to read and write files in them (you may need to do his as
   the Unix root user):

chown -R user_name /path/to/mysql/datadir

...

4. If you are using the mysql.server script to start mysqld when the
   system is rebooted, you should edit mysql.server to use su to run
   mysqld as user user_name, or to invoke mysqld with the --user
   option. (No changes to safe_mysqld are necessary.)
...

------------------------------------------------------------------------

So, section 4. is partially correct...

> PS: I have no idea why the 'su' hack works.

(Heh, that hack is offical solution in tyour manual 8-)

I'll bet that has something to do with the fact that when I do "su
sql" the new UID is "sql" AND the new GID is also "sql" and as you see
in the permissions mentioned earlier the group "sql" has access (read)
to the /home/sql directory, but this fails when the group is "root".

AND HERE IS ANOTHER "FIX" YOU MIGHT CHECK OUT !

(Quick test/hack without any checks etc.)

---------------------------------------------------------------------------

*** mysqld.cc.orig      Sun Mar 14 23:55:45 1999
--- mysqld.cc   Mon Mar 15 00:03:20 1999
***************
*** 486,496 ****
--- 486,503 ----
      unireg_abort(1);
    }
  
+   if (setgid(ent->pw_gid) == -1)
+   {
+     sql_perror("setgid");
+     unireg_abort(1);
+   }
+ 
    if (setuid(ent->pw_uid) == -1)
    {
      sql_perror("setuid");
      unireg_abort(1);
    }
+ 
  #endif
  }
  

---------------------------------------------------------------------------

So the server changes the group also, actually this is exactly what
the su command does! Somehow I feel that I'm persuading implemention
of --group option)

Now that I have succeeded to install and start the server, I finally
can start to learn some SQL 8-)


Mig

-- 
**** Mikael Willberg ***** "Oh dear", says God, "I hadn't thought of that" **
* Hypermedia laboratory *  and promptly vanishes in a puff of logic.        *
* University of Tampere *                                  (Douglas Adams)  *
******** Finland ********* http://www.uta.fi/~tymiwi/ ***********************

Thread
File access problemtymiwi14 Mar
  • File access problemMichael Widenius15 Mar
  • Re: File access problemVan15 Mar
    • returning table nameMarc Antony Vose15 Mar
      • returning table namesinisa16 Mar
        • Re: returning table nameThimble Smith16 Mar
Re: File access problemMikael Willberg15 Mar
Re: returning table nameefrazier16 Mar
  • Re: returning table nameThimble Smith16 Mar