Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-21140

galera_recovery script is incompatible with fs.protected_regular = 1 sysctl

    XMLWordPrintable

    Details

      Description

      (this has been already reported as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945051)

      I have created a few Debian LXC containers on my Arch Linux system for the purpose of testing Galera replication in MariaDB. Unfortunately, they don't work out of the box, because Arch Linux comes with fs.protected_regular = 1 sysctl by default. The same applies to any other distribution which uses a modern version of systemd: see https://github.com/systemd/systemd/commit/2732587540035227fe59e4b64b60127352611b35 .

      The failing script during service start is /usr/bin/galera_recovery, the error is:

      /usr/bin/galera_recovery: 71: /usr/bin/galera_recovery: cannot create /tmp/wsrep_recovery.BLuWHq: Permission denied

      Let's see why (ine numbers are from Debian).

      28 log_file=$(mktemp /tmp/wsrep_recovery.XXXXXX)
      ... (in a function)
      71 eval /usr/sbin/mysqld $cmdline_args --user=$user --wsrep_recover \
      72 --disable-log-error 2> "$log_file"
      ...
      104 [ "$euid" = "0" ] && chown $user $log_file

      So, $log_file is created by mktemp, then chowned to $user, and then opened for writing the log. The opening happens by the shell, not by mysqld, and so it's done as root. So, root tries to open a file, owned by someone else, in a sticky world-writeable directory, and this is exactly what fs.protected_regular = 1 disallows.

      The fix would be to remove this line:

      [ "$euid" = "0" ] && chown $user $log_file

      This is valid, because permissions are checked at open time, and it's root, not $user, who opens the file.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jplindst Jan Lindström
              Reporter:
              patrakov Alexander E. Patrakov
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: