| author | Christian Hesse
<eworm@archlinux.org> 2019-01-25 15:15:05 UTC |
| committer | Christian Hesse
<eworm@archlinux.org> 2019-01-25 15:15:05 UTC |
| parent | 04abf421e542462514c277e7bdd47c34a6f4e932 |
| 0002-fix-galera_recovery-with-fs.protected_regular-enabled.patch | +32 | -0 |
| PKGBUILD | +10 | -3 |
diff --git a/0002-fix-galera_recovery-with-fs.protected_regular-enabled.patch b/0002-fix-galera_recovery-with-fs.protected_regular-enabled.patch new file mode 100644 index 0000000..f3de571 --- /dev/null +++ b/0002-fix-galera_recovery-with-fs.protected_regular-enabled.patch @@ -0,0 +1,32 @@ +From 5936f0be4a49eda7b05ea1591bbbba3d72e4d7b9 Mon Sep 17 00:00:00 2001 +From: Christian Hesse <mail@eworm.de> +Date: Fri, 25 Jan 2019 14:50:53 +0100 +Subject: fix galera_recovery with fs.protected_regular enabled + +The fs.protected_regular sysctls was added in Linux 4.19 to make some +data spoofing attacks harder. With systemd v241 these will be enabled +by default. + +With this protection enabled galera_recovery fails with EPERM +(permission denied). This is caused by a wrong security measure: +The script changes ownership of $log_file to $user, though $user never +touches it. The shell redirection writes output to the file, not mysqld. +So just drop chown to fix this. +--- + scripts/galera_recovery.sh | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/scripts/galera_recovery.sh b/scripts/galera_recovery.sh +index c58f3d8f6b9..c70decc0005 100644 +--- a/scripts/galera_recovery.sh ++++ b/scripts/galera_recovery.sh +@@ -101,8 +101,7 @@ wsrep_recover_position() { + + # Safety checks + if [ -n "$log_file" -a -f "$log_file" ]; then +- [ "$euid" = "0" ] && chown $user $log_file +- chmod 600 $log_file ++ chmod 600 $log_file + else + log "WSREP: mktemp failed" + fi diff --git a/PKGBUILD b/PKGBUILD index dfe98a9..b849e4c 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -5,7 +5,7 @@ pkgbase=mariadb pkgname=('mariadb-libs' 'mariadb-clients' 'mariadb' 'mytop') pkgdesc='Fast SQL database server, derived from MySQL' pkgver=10.3.12 -pkgrel=4 +pkgrel=5 arch=('x86_64') license=('GPL') url='https://mariadb.org/' @@ -13,10 +13,12 @@ makedepends=('boost' 'bzip2' 'cmake' 'jemalloc' 'libaio' 'libxml2' 'lz4' 'lzo' 'openssl' 'systemd' 'zlib' 'zstd') validpgpkeys=('199369E5404BD5FC7D2FE43BCBCB082A1BB943DB') # MariaDB Package Signing Key <package-signing-key@mariadb.org> source=("https://ftp.heanet.ie/mirrors/mariadb/mariadb-$pkgver/source/mariadb-$pkgver.tar.gz"{,.asc} - '0001-MDEV-18360-Prevent-set_max_open_files-from-allocating-too-many-files.patch') + '0001-MDEV-18360-Prevent-set_max_open_files-from-allocating-too-many-files.patch' + '0002-fix-galera_recovery-with-fs.protected_regular-enabled.patch') sha256sums=('f7449a34c25e0455928d7983dae83fd2069fe1f16c4c5f4aeed9ed9d3f081ff6' 'SKIP' - 'f2a93769bfd9a5421871846b091ff752dfceea1791beab2ee55ac93d24df02c7') + 'f2a93769bfd9a5421871846b091ff752dfceea1791beab2ee55ac93d24df02c7' + '66e0acac7436fd8925710ef5cc66ba1a8f63a385ce374f01ae83096cc33d97a0') prepare() { cd $pkgbase-$pkgver/ @@ -44,6 +46,11 @@ prepare() { # https://github.com/systemd/systemd/issues/11510 # https://jira.mariadb.org/browse/MDEV-18360 patch -Np1 < ../0001-MDEV-18360-Prevent-set_max_open_files-from-allocating-too-many-files.patch + + # fix galera_recovery with fs.protected_regular enabled + # https://github.com/MariaDB/server/pull/1137 + patch -Np1 < ../0002-fix-galera_recovery-with-fs.protected_regular-enabled.patch + } build() {