Am 12.09.2016 um 23:58 schrieb Reinis Rozitis:
a service itself *must not* have the permissions to write it's config files
The safeguard script also reads configuration files from MySQLs data directory which is writable by the service
[root@srv-rhsoft:~]$ cat /etc/passwd | grep mysql mysql:x:27:27:MySQL Server:/dev/null:/usr/sbin/nologin "mysqld_safe" is deleted from packages for 5 years here
Though the author also cowers cases of bad configuration and possible victims.
"Root-Code-Execution" is clickbait
Since when a CVE is a clickbait ..
the "Root-Code-Execution" part is maybe someone consideres throw away "mysqld_safe" and stops starting it as root anyways since for high ports root permissions where *never* needed __________________________________ * this below does the same as "mysqld_safe" way cleaner * it restarts mysqld if it crashs * it don't contain obscure shell scripts * systemd don't need pid-files for tracking type=simple * "mysqld-wait-ready" makes sure depedning service are started after the dameon is fully opertional * no bit of mysql is running as root __________________________________ [Service] Type=simple User=mysql Group=mysql ExecStart=/usr/libexec/mysqld --defaults-file=/etc/my.cnf --pid-file=/dev/null ExecStartPost=/usr/libexec/mysqld-wait-ready $MAINPID Environment="LANG=en_GB.UTF-8" Restart=always RestartSec=1 __________________________________ [root@srv-rhsoft:~]$ cat /usr/libexec/mysqld-wait-ready #!/usr/bin/bash # Service file passes us the daemon's PID daemon_pid="$1" # Wait for the server to come up or for the mysqld process to disappear ret=0 while /usr/bin/true; do RESPONSE=`/usr/bin/mysqladmin --defaults-file=/etc/my.cnf --socket=/var/lib/mysql/mysql.sock --user=UNKNOWN_MYSQL_USER ping 2>&1` mret=$? if [ $mret -eq 0 ]; then break fi # exit codes 1, 11 (EXIT_CANNOT_CONNECT_TO_SERVICE) are expected, # anything else suggests a configuration error if [ $mret -ne 1 -a $mret -ne 11 ]; then ret=1 break fi # "Access denied" also means the server is alive echo "$RESPONSE" | grep -q "Access denied for user" && break # Check process still exists if ! /usr/bin/kill -0 $daemon_pid 2>/dev/null; then ret=1 break fi usleep 100000 done exit $ret