[MDEV-7247] service mysql status not availabe in standard user - JIRA

Details

Type: Bug
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: 10.0
Fix Version/s: 10.0
Component/s: Platform Debian
Labels:
None
Environment:
ubuntu 12.04

Description

with standard user we coudln't run :

service mysql status (work only in root)

maybe is not a bug and you would this comportment but it's not standard.

I made the fix, just tell me how to procede.

Gliffy Diagrams

Attachments

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Barthelemy Vessemont added a comment - 2014-12-02 12:04 - edited

+1
A user with no priviliges is not able to check service status (which is not standard, check with other projects like apache, nginx, ntp, sshd, oracle mysql ...) :

johndoe@mariadb-vagrant:/data$ service mysql status
cat: /var/run/mysqld/mysqld.pid: Permission denied
 * MariaDB is stopped.

It's ok with any sudoer/root account :

root@mariadb-vagrant:/data# service mysql status
 * /usr/bin/mysqladmin  Ver 9.1 Distrib 10.0.15-MariaDB, for debian-linux-gnu on x86_64
Copyright (c) 2000, 2014, Oracle, SkySQL Ab and others.

Server version		10.0.15-MariaDB-1~precise-log
Protocol version	10
Connection		Localhost via UNIX socket
UNIX socket		/var/run/mysqld/mysqld.sock
Uptime:			17 hours 4 min 25 sec

Threads: 2  Questions: 91  Slow queries: 0  Opens: 97  Flush tables: 1  Open tables: 78  Queries per second avg: 0.001

Show

Barthelemy Vessemont added a comment - 2014-12-02 12:04 - edited +1 A user with no priviliges is not able to check service status (which is not standard, check with other projects like apache, nginx, ntp, sshd, oracle mysql ...) : johndoe@mariadb-vagrant:/data$ service mysql status cat: /var/run/mysqld/mysqld.pid: Permission denied * MariaDB is stopped. It's ok with any sudoer/root account : root@mariadb-vagrant:/data# service mysql status * /usr/bin/mysqladmin Ver 9.1 Distrib 10.0.15-MariaDB, for debian-linux-gnu on x86_64 Copyright (c) 2000, 2014, Oracle, SkySQL Ab and others. Server version 10.0.15-MariaDB-1~precise-log Protocol version 10 Connection Localhost via UNIX socket UNIX socket /var/run/mysqld/mysqld.sock Uptime: 17 hours 4 min 25 sec Threads: 2 Questions: 91 Slow queries: 0 Opens: 97 Flush tables: 1 Open tables: 78 Queries per second avg: 0.001

Hide

Permalink

Elena Stepanova added a comment - 2014-12-02 15:15

Aurélien LEQUOY,

You can attach your patch to this JIRA issue, or go through the process as described here: https://mariadb.com/kb/en/mariadb/community/contributing-code/ , whichever you prefer.
If the patch is small and only affects the script, I suppose the former is much easier.
You will also probably be asked for the MCA confirmation.

Show

Elena Stepanova added a comment - 2014-12-02 15:15 Aurélien LEQUOY , You can attach your patch to this JIRA issue, or go through the process as described here: https://mariadb.com/kb/en/mariadb/community/contributing-code/ , whichever you prefer. If the patch is small and only affects the script, I suppose the former is much easier. You will also probably be asked for the MCA confirmation.

Hide

Permalink

Barthelemy Vessemont added a comment - 2014-12-03 13:23 - edited

Hi,

In order to allow standard user to check service status we need 2 things :

Since /usr/bin/mysqladmin ping requires read access to /etc/mysql/debian.cnf (which is protected file), we need to bypass ping test when running status with non-root/sudo user, thus it will only run a minimal pid/ps check :
=> very simple if [ "$(id -u)" != "0" ] in bash init script will disable ping test for standard user

Change posix ACL for /var/run/mysqld/mysqld.pid pidfile ...
=> this file is currently 0660, and it should be 0664 or 0644 (like every other pidfile in /run/pid).
=> mysqld code is currently managing this file , but I can't find out why the file is still 0660 while pidfile looks to be created with 0644 mode : https://github.com/MariaDB/server/blob/mariadb-10.0.10/sql/mysqld.cc#L9231

Show

Barthelemy Vessemont added a comment - 2014-12-03 13:23 - edited Hi, In order to allow standard user to check service status we need 2 things : Since /usr/bin/mysqladmin ping requires read access to /etc/mysql/debian.cnf (which is protected file), we need to bypass ping test when running status with non-root/sudo user, thus it will only run a minimal pid/ps check : => very simple if [ "$(id -u)" != "0" ] in bash init script will disable ping test for standard user Change posix ACL for /var/run/mysqld/mysqld.pid pidfile ... => this file is currently 0660, and it should be 0664 or 0644 (like every other pidfile in /run/pid). => mysqld code is currently managing this file , but I can't find out why the file is still 0660 while pidfile looks to be created with 0644 mode : https://github.com/MariaDB/server/blob/mariadb-10.0.10/sql/mysqld.cc#L9231

Hide

Permalink

Elena Stepanova added a comment - 2015-02-08 14:37

Otto Kekäläinen,

Please consider the report/request. If it shouldn't be implemented according to Debian policies or on any other reason, please close as 'Won't fix' with the explanation why not.

Thanks.

Show

Elena Stepanova added a comment - 2015-02-08 14:37 Otto Kekäläinen , Please consider the report/request. If it shouldn't be implemented according to Debian policies or on any other reason, please close as 'Won't fix' with the explanation why not. Thanks.

Hide

Permalink

Otto Kekäläinen added a comment - 2015-02-08 17:41

In official Debian/Ubuntu packages service status looks the same no matter if it is run as root or not:

{{

}}
$ service mysql status
mysql start/running, process 4480
$ sudo service mysql status
mysql start/running, process 4480
{{

}}

But it is true that even there the chmod is 0660 and not 0644 which is the standard. The pid file is however not created by the init script or anything in packaging, but by the mysqld daemon itself.

Show

Otto Kekäläinen added a comment - 2015-02-08 17:41 In official Debian/Ubuntu packages service status looks the same no matter if it is run as root or not: {{ }} $ service mysql status mysql start/running, process 4480 $ sudo service mysql status mysql start/running, process 4480 {{ }} But it is true that even there the chmod is 0660 and not 0644 which is the standard. The pid file is however not created by the init script or anything in packaging, but by the mysqld daemon itself.

Hide

Permalink

Jean Weisbuch added a comment - 2015-02-09 22:26

The fact that the file isnt created with the right permission is due to the fact that a "umask" value is set and is "substracted" from the CreateFlags (permission for the new file(s) created).

Adding "umask(0000);" before open() is called on the my_create function located on "mysys/my_create.c" makes the created pid file to have the right chmod (0664).
This is not a solution but it helps understand why the permission provided at mysql_file_create() on mysqld.cc gets modified.

Show

Jean Weisbuch added a comment - 2015-02-09 22:26 The fact that the file isnt created with the right permission is due to the fact that a "umask" value is set and is "substracted" from the CreateFlags (permission for the new file(s) created). Adding "umask(0000);" before open() is called on the my_create function located on " mysys/my_create.c " makes the created pid file to have the right chmod (0664). This is not a solution but it helps understand why the permission provided at mysql_file_create() on mysqld.cc gets modified.

People

Assignee:

Otto Kekäläinen

Reporter:

Aurélien LEQUOY

Votes:

2 Vote for this issue

Watchers:

6 Start watching this issue

Dates

Created:

2014-12-02 11:44

Updated:

2015-02-09 22:26

Agile

View on Board