Am Sonntag, Mai 14, 2017 16:36 CEST, Glen
The recent update to mysql-community-server-5.6.36-24.3.3.x86_64 introduced a change to /usr/lib/mysql/mysql-systemd-helper:
# diff mysql-systemd-helper.old mysql-systemd-helper 168a169,171
# set the default umask bsc#1020976 umask 077
[...] So, I am trying to understand why this change was made (since I don't want to revert something deemed an issue) and what the correct response to this change should be.
This indicates that all your applications are using file sockets to connect to MySQL instead of, say, network sockets (TCP/IP). Maybe for performance reasons. With the change, the path to the socket file is no longer accessible to your apps and they fail. I tried to understand the security report but failed. They tend to be cryptic in order to give potential attackers not too many details how they can ruin your day until you have patched your code. I'm wondering about this patch as well. Making the socket inaccessible for anyone but the owner of the folder is a bad idea unless you can run all your apps as this user. If the folder is owned by root, that asks for "run every app as root" which is a very, very bad idea. Even if it's not root, it's bad. If the owner is "mysql" then this opens any files owned by MySQL to tampering by your app which feels wrong, too. I would understand a umask 007 with ownership mysql:mysql-apps. That way, you could create any number of users to run your applications and add them to the group "mysql-apps" so only they have access and only to this folder. That keeps everyone else out. So this is either a mistake or a bad security patch (which creates more issues than it solves) or it's a desperate measure for a very huge issue they can't talk about and which they can't fix right away. Something like "any local user can bring down MySQL" or "any local user can modify/corrupt the data". What are your options: 1. Revert the patch. 2. Create the "mysql-apps" group and modify the patch 3. Talk to your developers whether they can access MySQL without using sockets. 4. Open a support ticket with Oracle to inquire what's going on and how to fix this in your case. I wouldn't recommend #1. Security is becoming stranger every day. Just a short while ago, I learned a way how to download files from a server using just XML. #2 looks like a good short-term solution to me. There might be a security hole lurking in there which can bring your whole business down but that's the risk you have to live with anyway. At least attackers will have to break into the group before they can access the socket (which will take more time and skill since it's a single point solution just for you). I'm not sure about #3 but maybe the devs know something we don't. If you have a support contract with Oracle, use it. Regards, -- Aaron "Optimizer" Digulla a.k.a. Philmann Dark "It's not the universe that's limited, it's our imagination. Follow me and I'll show you something beyond the limits." http://blog.pdark.de/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org