Michael Widenius wrote: > > >>>>> "Sandu" == Sandu Mihai <mikeat_private> writes: > > Sandu> When you use a certain mysql configuration it is possible to create > Sandu> files on the system as root with rw-rw-rw. <snip> > The file is always created with 0666, by the following code: > > sql_class.cc:167: if ((file=my_create(path, 0666, O_WRONLY, MYF(MY_WME))) < 0) > > Normally one should never run mysqld as root and one should always > set a password for the MySQL root user. Of course: a) mysqld runs as root by default b) if you've set the port <1024, so it gets filtered naturally by your firewall, you have to run as root. The following patch fixes this problem (on FreeBSD at least), if you add "MYSQL_USER=someuser; export MYSQL_USER" to safe_mysqld. Only lightly tested... --- mysqld.cc.orig Tue Mar 31 19:27:53 1998 +++ mysqld.cc Tue Mar 31 19:35:59 1998 @@ -57,6 +57,8 @@ #define SET_RLIMIT_NOFILE #endif +#include <pwd.h> + #define MAX_RETRY 10 // Test accept this many times #define CONNECT_TIMEOUT 3 // Don't wait long for connect @@ -291,6 +293,33 @@ } } +static void set_user() +{ + struct passwd *ent; + char *user; + +// don't bother if we aren't superuser + if(geteuid()) + return; + + if(!(user = getenv("MYSQL_USER"))) + return; + + if(!(ent = getpwnam(user))) + { + perror("getpwnam"); + application_end(); + unireg_abort(1); + } + + if(setuid(ent->pw_uid) == -1) + { + perror("setuid"); + application_end(); + unireg_abort(1); + } +} + static void server_init(void) { @@ -336,6 +365,9 @@ application_end(); unireg_abort(1); } + + set_user(); + VOID(listen(ip_sock,(int) back_log)); } Cheers, Ben. -- Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org and Technical Director|Email: benat_private | A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/ London, England. |"Apache: TDG" http://www.ora.com/catalog/apache
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:47:37 PDT