Bug#27919254 MYSQL USER ESCALATES ITS PRIVILEGE BY PLACING ARBITRARY PIDS INTO ITS PID FILES

2025-01-16 12:02:42 +01:00 · 2018-10-23 16:00:45 +02:00 · 2018-10-23 16:00:45 +02:00 · 73e1ffdc68
commit 73e1ffdc68
parent 98f15dac60
1 changed files with 19 additions and 12 deletions
--- a/support-files/mysql.server.sh
+++ b/support-files/mysql.server.sh
@ -128,8 +128,9 @@ esac

 parse_server_arguments() {
  for arg do
+    val=`echo "$arg" | sed -e 's/^[^=]*=//'`
    case "$arg" in
-      --basedir=*)  basedir=`echo "$arg" | sed -e 's/^[^=]*=//'`
+      --basedir=*)  basedir="$val"
                    bindir="$basedir/bin"
 		    if test -z "$datadir_set"; then
 		      datadir="$basedir/data"
@ -143,14 +144,15 @@ parse_server_arguments() {
                    fi
 		    libexecdir="$basedir/libexec"
        ;;
-      --datadir=*)  datadir=`echo "$arg" | sed -e 's/^[^=]*=//'`
+      --datadir=*)  datadir="$val"
 		    datadir_set=1
 	;;
      --log-basename=*|--hostname=*|--loose-log-basename=*)
-        mysqld_pid_file_path=`echo "$arg.pid" | sed -e 's/^[^=]*=//'`
+        mysqld_pid_file_path="$val.pid"
 	;;
-      --pid-file=*) mysqld_pid_file_path=`echo "$arg" | sed -e 's/^[^=]*=//'` ;;
-      --service-startup-timeout=*) service_startup_timeout=`echo "$arg" | sed -e 's/^[^=]*=//'` ;;
+      --pid-file=*) mysqld_pid_file_path="$val" ;;
+      --service-startup-timeout=*) service_startup_timeout="$val" ;;
+      --user=*) user="$val"; ;;
    esac
  done
 }
@ -182,6 +184,12 @@ else
  test -z "$print_defaults" && print_defaults="my_print_defaults"
 fi

+user='@MYSQLD_USER@'
+
+su_kill() {
+  su - $user -s /bin/sh -c "kill $*" >/dev/null 2>&1
+}
+
 #
 # Read defaults file from 'basedir'.   If there is no defaults file there
 # check if it's in the old (depricated) place (datadir) and read it from there
@ -210,7 +218,7 @@ wait_for_gone () {

  while test $i -ne $service_startup_timeout ; do

-    if kill -0 "$pid" 2>/dev/null; then
+    if su_kill -0 "$pid" ; then
      :  # the server still runs
    else
      if test ! -s "$pid_file_path"; then
@ -250,7 +258,7 @@ wait_for_ready () {
    if $bindir/mysqladmin ping >/dev/null 2>&1; then
      log_success_msg
      return 0
-    elif kill -0 $! 2>/dev/null ; then
+    elif kill -0 $! ; then
      :  # mysqld_safe is still running
    else
      # mysqld_safe is no longer running, abort the wait loop
@ -319,10 +327,9 @@ case "$mode" in
    then
      mysqld_pid=`cat "$mysqld_pid_file_path"`

-      if (kill -0 $mysqld_pid 2>/dev/null)
-      then
+      if su_kill -0 $mysqld_pid ; then
        echo $echo_n "Shutting down MariaDB"
-        kill $mysqld_pid
+        su_kill $mysqld_pid
        # mysqld should remove the pid file when it exits, so wait for it.
        wait_for_gone $mysqld_pid "$mysqld_pid_file_path"; return_value=$?
      else
@ -355,7 +362,7 @@ case "$mode" in
  'reload'|'force-reload')
    if test -s "$mysqld_pid_file_path" ; then
      read mysqld_pid <  "$mysqld_pid_file_path"
-      kill -HUP $mysqld_pid && log_success_msg "Reloading service MariaDB"
+      su_kill -HUP $mysqld_pid && log_success_msg "Reloading service MariaDB"
      touch "$mysqld_pid_file_path"
    else
      log_failure_msg "MariaDB PID file could not be found!"
@ -366,7 +373,7 @@ case "$mode" in
    # First, check to see if pid file exists
    if test -s "$mysqld_pid_file_path" ; then 
      read mysqld_pid < "$mysqld_pid_file_path"
-      if kill -0 $mysqld_pid 2>/dev/null ; then 
+      if su_kill -0 $mysqld_pid ; then
        log_success_msg "MariaDB running ($mysqld_pid)"
        exit 0
      else