9 messages in com.mysql.lists.mysqlRe: File access problem| From | Sent On | Attachments |
|---|---|---|
| tym...@uta.fi | 13 Mar 1999 23:56 | |
| Van | 14 Mar 1999 07:12 | |
| Michael Widenius | 14 Mar 1999 07:12 | |
| Mikael Willberg | 14 Mar 1999 14:22 | |
| Marc Antony Vose | 15 Mar 1999 05:27 | |
| sin...@beotel.yu | 15 Mar 1999 16:13 | |
| Thimble Smith | 15 Mar 1999 16:16 | |
| efra...@home.com | 15 Mar 1999 16:22 | |
| Thimble Smith | 15 Mar 1999 16:48 |
| Subject: | Re: File access problem |
|---|---|
| From: | Mikael Willberg (tym...@uta.fi) |
| Date: | 03/14/1999 02:22:16 PM |
| List: | com.mysql.lists.mysql |
On Sun, 14 Mar 1999, Michael Widenius wrote:
"tymiwi" == tymiwi <tym...@uta.fi> writes:
Description:
tymiwi> Directory layout and permissions on my test system are:
tymiwi> # mysql home tymiwi> drwxr-x--- 12 root sql 1024 Mar 14 06:18 /home/sql/
tymiwi> # the storage for databasese tymiwi> drwxr-x--- 4 sql sql 1024 Mar 14 08:28 /home/sql/var/
tymiwi> # all other directories are like this one tymiwi> drwxr-xr-x 3 root root 1024 Mar 14 06:14 share
tymiwi> When the server is started with parameter "--user=sql" the following tymiwi> error appears in error log:
tymiwi> 990314 8:23:48 /data/home/sql/libexec/mysqld: Can't create/write to tymiwi> file '/home/sql/var/mysqld.pid' (Errcode: 13)
tymiwi> My wild guess is that there are some private access checks in your tymiwi> code which do not work properly (I didn't understand anything from tymiwi> your source code after being at Finnish USENET meeting and having a tymiwi> few drinks 8-)
tymiwi> Oh yes, if the server is started from root account it is possible to tymiwi> change the uid but the process still has priviledged group access tymiwi> rights. At least I didn't find a way to change the gid. That would be tymiwi> a good feature to add !
How-To-Repeat:
tymiwi> See above.
Fix:
tymiwi> Before you say that the permissions are set up weirdly/wrong by me I tymiwi> must stress that this problem does NOT occur if I start the server tymiwi> with command:
tymiwi> su sql -c "/home/sql/bin/safe_mysqld --user=sql \ tymiwi> --pid-file=/home/sql/var/mysqld.pid"
tymiwi> This is also the quickest way to fix the problem in mysql.server tymiwi> script...
<cut>
Hi!
If you are not running MySQL as root, you should do:
chown -R sql /home/sql/
and everything should work nicely
Yes, but that's a thing I do not want to do. After starting the server it should need ONLY access to the database directory (read/write) and nowhere else (call my paranoid if you want to 8-) This is also stated in your documentation :
------------------------------------------------------------------------ ...
Check that the user that mysqld runs as is the only unix user with read/write privileges in the database directories.
...
2. Change the database directories and files so that user_name has privileges to read and write files in them (you may need to do his as the Unix root user):
chown -R user_name /path/to/mysql/datadir
...
4. If you are using the mysql.server script to start mysqld when the system is rebooted, you should edit mysql.server to use su to run mysqld as user user_name, or to invoke mysqld with the --user option. (No changes to safe_mysqld are necessary.) ...
------------------------------------------------------------------------
So, section 4. is partially correct...
PS: I have no idea why the 'su' hack works.
(Heh, that hack is offical solution in tyour manual 8-)
I'll bet that has something to do with the fact that when I do "su sql" the new UID is "sql" AND the new GID is also "sql" and as you see in the permissions mentioned earlier the group "sql" has access (read) to the /home/sql directory, but this fails when the group is "root".
AND HERE IS ANOTHER "FIX" YOU MIGHT CHECK OUT !
(Quick test/hack without any checks etc.)
---------------------------------------------------------------------------
*** mysqld.cc.orig Sun Mar 14 23:55:45 1999 --- mysqld.cc Mon Mar 15 00:03:20 1999 *************** *** 486,496 **** --- 486,503 ---- unireg_abort(1); }
+ if (setgid(ent->pw_gid) == -1) + { + sql_perror("setgid"); + unireg_abort(1); + } + if (setuid(ent->pw_uid) == -1) { sql_perror("setuid"); unireg_abort(1); } + #endif }
---------------------------------------------------------------------------
So the server changes the group also, actually this is exactly what the su command does! Somehow I feel that I'm persuading implemention of --group option)
Now that I have succeeded to install and start the server, I finally can start to learn some SQL 8-)
Mig
-- **** Mikael Willberg ***** "Oh dear", says God, "I hadn't thought of that" ** * Hypermedia laboratory * and promptly vanishes in a puff of logic. * * University of Tampere * (Douglas Adams) * ******** Finland ********* http://www.uta.fi/~tymiwi/ ***********************