Bug#27919254 MYSQL USER ESCALATES ITS PRIVILEGE BY PLACING ARBITRARY PIDS INTO ITS PID FILES

This commit is contained in:
Sergei Golubchik 2018-10-23 16:00:45 +02:00
parent 98f15dac60
commit 73e1ffdc68

View File

@ -128,8 +128,9 @@ esac
parse_server_arguments() { parse_server_arguments() {
for arg do for arg do
val=`echo "$arg" | sed -e 's/^[^=]*=//'`
case "$arg" in case "$arg" in
--basedir=*) basedir=`echo "$arg" | sed -e 's/^[^=]*=//'` --basedir=*) basedir="$val"
bindir="$basedir/bin" bindir="$basedir/bin"
if test -z "$datadir_set"; then if test -z "$datadir_set"; then
datadir="$basedir/data" datadir="$basedir/data"
@ -143,14 +144,15 @@ parse_server_arguments() {
fi fi
libexecdir="$basedir/libexec" libexecdir="$basedir/libexec"
;; ;;
--datadir=*) datadir=`echo "$arg" | sed -e 's/^[^=]*=//'` --datadir=*) datadir="$val"
datadir_set=1 datadir_set=1
;; ;;
--log-basename=*|--hostname=*|--loose-log-basename=*) --log-basename=*|--hostname=*|--loose-log-basename=*)
mysqld_pid_file_path=`echo "$arg.pid" | sed -e 's/^[^=]*=//'` mysqld_pid_file_path="$val.pid"
;; ;;
--pid-file=*) mysqld_pid_file_path=`echo "$arg" | sed -e 's/^[^=]*=//'` ;; --pid-file=*) mysqld_pid_file_path="$val" ;;
--service-startup-timeout=*) service_startup_timeout=`echo "$arg" | sed -e 's/^[^=]*=//'` ;; --service-startup-timeout=*) service_startup_timeout="$val" ;;
--user=*) user="$val"; ;;
esac esac
done done
} }
@ -182,6 +184,12 @@ else
test -z "$print_defaults" && print_defaults="my_print_defaults" test -z "$print_defaults" && print_defaults="my_print_defaults"
fi fi
user='@MYSQLD_USER@'
su_kill() {
su - $user -s /bin/sh -c "kill $*" >/dev/null 2>&1
}
# #
# Read defaults file from 'basedir'. If there is no defaults file there # Read defaults file from 'basedir'. If there is no defaults file there
# check if it's in the old (depricated) place (datadir) and read it from there # check if it's in the old (depricated) place (datadir) and read it from there
@ -210,7 +218,7 @@ wait_for_gone () {
while test $i -ne $service_startup_timeout ; do while test $i -ne $service_startup_timeout ; do
if kill -0 "$pid" 2>/dev/null; then if su_kill -0 "$pid" ; then
: # the server still runs : # the server still runs
else else
if test ! -s "$pid_file_path"; then if test ! -s "$pid_file_path"; then
@ -250,7 +258,7 @@ wait_for_ready () {
if $bindir/mysqladmin ping >/dev/null 2>&1; then if $bindir/mysqladmin ping >/dev/null 2>&1; then
log_success_msg log_success_msg
return 0 return 0
elif kill -0 $! 2>/dev/null ; then elif kill -0 $! ; then
: # mysqld_safe is still running : # mysqld_safe is still running
else else
# mysqld_safe is no longer running, abort the wait loop # mysqld_safe is no longer running, abort the wait loop
@ -319,10 +327,9 @@ case "$mode" in
then then
mysqld_pid=`cat "$mysqld_pid_file_path"` mysqld_pid=`cat "$mysqld_pid_file_path"`
if (kill -0 $mysqld_pid 2>/dev/null) if su_kill -0 $mysqld_pid ; then
then
echo $echo_n "Shutting down MariaDB" echo $echo_n "Shutting down MariaDB"
kill $mysqld_pid su_kill $mysqld_pid
# mysqld should remove the pid file when it exits, so wait for it. # mysqld should remove the pid file when it exits, so wait for it.
wait_for_gone $mysqld_pid "$mysqld_pid_file_path"; return_value=$? wait_for_gone $mysqld_pid "$mysqld_pid_file_path"; return_value=$?
else else
@ -355,7 +362,7 @@ case "$mode" in
'reload'|'force-reload') 'reload'|'force-reload')
if test -s "$mysqld_pid_file_path" ; then if test -s "$mysqld_pid_file_path" ; then
read mysqld_pid < "$mysqld_pid_file_path" read mysqld_pid < "$mysqld_pid_file_path"
kill -HUP $mysqld_pid && log_success_msg "Reloading service MariaDB" su_kill -HUP $mysqld_pid && log_success_msg "Reloading service MariaDB"
touch "$mysqld_pid_file_path" touch "$mysqld_pid_file_path"
else else
log_failure_msg "MariaDB PID file could not be found!" log_failure_msg "MariaDB PID file could not be found!"
@ -366,7 +373,7 @@ case "$mode" in
# First, check to see if pid file exists # First, check to see if pid file exists
if test -s "$mysqld_pid_file_path" ; then if test -s "$mysqld_pid_file_path" ; then
read mysqld_pid < "$mysqld_pid_file_path" read mysqld_pid < "$mysqld_pid_file_path"
if kill -0 $mysqld_pid 2>/dev/null ; then if su_kill -0 $mysqld_pid ; then
log_success_msg "MariaDB running ($mysqld_pid)" log_success_msg "MariaDB running ($mysqld_pid)"
exit 0 exit 0
else else