List:General Discussion« Previous MessageNext Message »
From:Mikael Willberg Date:March 14 1999 10:22pm
Subject:Re: File access problem
View as plain text  
On Sun, 14 Mar 1999, Michael Widenius wrote:

> >>>>> "tymiwi" == tymiwi  <tymiwi@stripped> writes:
> >> Description:
> tymiwi> Directory layout and permissions on my test system are:
> tymiwi> # mysql home
> tymiwi> drwxr-x---  12 root     sql          1024 Mar 14 06:18 /home/sql/
> tymiwi> # the storage for databasese
> tymiwi> drwxr-x---   4 sql      sql          1024 Mar 14 08:28 /home/sql/var/
> tymiwi> # all other directories are like this one
> tymiwi> drwxr-xr-x   3 root     root         1024 Mar 14 06:14 share
> tymiwi> When the server is started with parameter "--user=sql" the following
> tymiwi> error appears in error log:
> tymiwi> 990314 8:23:48 /data/home/sql/libexec/mysqld: Can't create/write to
> tymiwi> file '/home/sql/var/' (Errcode: 13)
> tymiwi> My wild guess is that there are some private access checks in your
> tymiwi> code which do not work properly (I didn't understand anything from
> tymiwi> your source code after being at Finnish USENET meeting and having a
> tymiwi> few drinks 8-)
> tymiwi> Oh yes, if the server is started from root account it is possible to
> tymiwi> change the uid but the process still has priviledged group access
> tymiwi> rights. At least I didn't find a way to change the gid. That would be
> tymiwi> a good feature to add !
> >> How-To-Repeat:
> tymiwi> See above.
> >> Fix:
> tymiwi> Before you say that the permissions are set up weirdly/wrong by me I
> tymiwi> must stress that this problem does NOT occur if I start the server
> tymiwi> with command:
> tymiwi> su sql -c "/home/sql/bin/safe_mysqld --user=sql \
> tymiwi> --pid-file=/home/sql/var/"
> tymiwi> This is also the quickest way to fix the problem in mysql.server
> tymiwi> script...
> <cut>
> Hi!
> If you are not running MySQL as root, you should do:
> chown -R sql /home/sql/
> and everything should work nicely

Yes, but that's a thing I do not want to do. After starting the server
it should need ONLY access to the database directory (read/write) and
nowhere else (call my paranoid if you want to 8-) This is also stated
in your documentation :


Check that the user that mysqld runs as is the only unix user with
read/write privileges in the database directories. 


2. Change the database directories and files so that user_name has
   privileges to read and write files in them (you may need to do his as
   the Unix root user):

chown -R user_name /path/to/mysql/datadir


4. If you are using the mysql.server script to start mysqld when the
   system is rebooted, you should edit mysql.server to use su to run
   mysqld as user user_name, or to invoke mysqld with the --user
   option. (No changes to safe_mysqld are necessary.)


So, section 4. is partially correct...

> PS: I have no idea why the 'su' hack works.

(Heh, that hack is offical solution in tyour manual 8-)

I'll bet that has something to do with the fact that when I do "su
sql" the new UID is "sql" AND the new GID is also "sql" and as you see
in the permissions mentioned earlier the group "sql" has access (read)
to the /home/sql directory, but this fails when the group is "root".


(Quick test/hack without any checks etc.)


***      Sun Mar 14 23:55:45 1999
---   Mon Mar 15 00:03:20 1999
*** 486,496 ****
--- 486,503 ----
+   if (setgid(ent->pw_gid) == -1)
+   {
+     sql_perror("setgid");
+     unireg_abort(1);
+   }
    if (setuid(ent->pw_uid) == -1)


So the server changes the group also, actually this is exactly what
the su command does! Somehow I feel that I'm persuading implemention
of --group option)

Now that I have succeeded to install and start the server, I finally
can start to learn some SQL 8-)


**** Mikael Willberg ***** "Oh dear", says God, "I hadn't thought of that" **
* Hypermedia laboratory *  and promptly vanishes in a puff of logic.        *
* University of Tampere *                                  (Douglas Adams)  *
******** Finland ********* ***********************

File access problemtymiwi14 Mar
  • File access problemMichael Widenius15 Mar
  • Re: File access problemVan15 Mar
    • returning table nameMarc Antony Vose15 Mar
      • returning table namesinisa16 Mar
        • Re: returning table nameThimble Smith16 Mar
Re: File access problemMikael Willberg15 Mar
Re: returning table nameefrazier16 Mar
  • Re: returning table nameThimble Smith16 Mar