automated tests run during build fail due to apparmor protections for mysqld unless build is done in /tmp
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
php5 (Ubuntu) |
Fix Released
|
High
|
Clint Byrum |
Bug Description
Binary package hint: php5
The automated tests that are run during the build process try to run mysql relative to the build directory.
Because of the apparmor profile, when mysql-server is installed, /usr/sbin/mysqld is only allowed arbitrary access under temp dirs (/tmp, /var/tmp, etc).
Also bug #375371 proposes to go even further and restrict that to a dir owned and only writable by mysql.
Proposed solution is to copy the necessary pieces of mysqld into the build directory and run them as part of the build step. This will prevent the apparmor profile for /usr/sbin/mysqld from being matched, and will allow the proposed security enhancement to go forward.
I have tested this and it seems to work fine on maverick. Will push up a branch when all tests complete.
Related branches
- Mathias Gug: Pending requested
-
Diff: 71 lines (+23/-2)3 files modifieddebian/changelog (+8/-0)
debian/rules (+2/-0)
debian/setup-mysql.sh (+13/-2)
- Clint Byrum (community): Disapprove
- Chuck Short: Pending requested
-
Diff: 925 lines (+381/-160)11 files modifieddebian/changelog (+63/-0)
debian/control (+140/-113)
debian/maxlifetime (+1/-1)
debian/patches/CVE-2010-2950.patch (+2/-7)
debian/patches/CVE-2010-3710.patch (+35/-0)
debian/patches/fix-ftbfs-and-dso.patch (+55/-0)
debian/patches/php-5.3.4-ini.patch (+30/-0)
debian/patches/php_crypt_revamped.patch (+37/-23)
debian/patches/series (+5/-4)
debian/patches/use_system_crypt_fixes.patch (+11/-8)
debian/rules (+2/-4)
Changed in php5 (Ubuntu): | |
status: | Triaged → In Progress |
Changed in php5 (Ubuntu): | |
status: | In Progress → Fix Released |
Clint: is this really about php5 ? or about mysql ?