Percona Server moved to https://jira.percona.com/projects/PS

basedir cannot be a symlink

Bug #1639735 reported by Miguel Angel Nieto
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Percona Server moved to https://jira.percona.com/projects/PS
Status tracked in 5.7
5.5
Fix Released
Medium
EvgeniyPatlan
Percona Server moved to https://jira.percona.com/projects/PS 5.5.55-38.8
5.6
Fix Released
Medium
EvgeniyPatlan
Percona Server moved to https://jira.percona.com/projects/PS 5.6.36-82.0
5.7
Fix Released
Medium
EvgeniyPatlan
Percona Server moved to https://jira.percona.com/projects/PS 5.7.18-14

Bug Description

From version 5.7.14-8 it is not possible to configure basedir to a simlink. The changelog mentions:

Implemented restrictions on symlinked files (error_log, pid_file) that can’t be used with mysqld_safe. Bug fixed #1624449.

but there is no mention to the basedir parameter in general. It this behaviour expected? If the whole basedir is a simlink, it won't start because some of those restricted files are there?

localhost> cat /etc/my.cnf | grep basedir
basedir=/usr/local/mysql

localhost> cd /usr/local/

localhost> sudo unlink mysql

localhost> sudo ln -s /mysql/Percona-Server-5.7.14-7-Linux.x86_64.ssl101 mysql

localhost> /usr/local/mysql/support-files/mysql.server start
Starting MySQL (Percona Server). SUCCESS!

localhost> /usr/local/mysql/support-files/mysql.server stop
Shutting down MySQL (Percona Server).. SUCCESS!

localhost> sudo ln -s /mysql/Percona-Server-5.7.14-8-Linux.x86_64.ssl101 mysql

localhost> /usr/local/mysql/support-files/mysql.server start
Starting MySQL (Percona Server). ERROR! The server quit without updating PID file (/usr/local/mysql/data/pidfile.pid).

localhost> cat /etc/my.cnf | grep basedir
basedir=/mysql/Percona-Server-5.7.14-8-Linux.x86_64.ssl101

localhost> /usr/local/mysql/support-files/mysql.server start
Starting MySQL (Percona Server). SUCCESS!

localhost> /usr/local/mysql/support-files/mysql.server stop
Shutting down MySQL (Percona Server).. SUCCESS!

localhost> sudo unlink mysql

localhost> sudo ln -s /mysql/Percona-Server-5.7.15-9-Linux.x86_64.ssl101 mysql

localhost> /usr/local/mysql/support-files/mysql.server start
Starting MySQL (Percona Server). SUCCESS!

localhost> /usr/local/mysql/support-files/mysql.server stop
Shutting down MySQL (Percona Server).. SUCCESS!

localhost> cat /etc/my.cnf | grep basedir
basedir=/usr/local/mysql

localhost> /usr/local/mysql/support-files/mysql.server start
Starting MySQL (Percona Server). mysqld_safe ld_preload libraries can only be loaded from system directories (/usr/lib64, /usr/lib, /usr/local/mysql/lib)
ERROR! The server quit without updating PID file (/usr/local/mysql/data/pidfile.pid).

Tags: pkg regression
Miguel Angel Nieto (miguelangelnieto)
Changed in percona-server:
status: New → Confirmed
Laurynas Biveinis (laurynas-biveinis)
tags: added: pkg
Revision history for this message
Sveta Smirnova (svetasmirnova) wrote :

Percona-specific, not repeatable with upstream

Laurynas Biveinis (laurynas-biveinis)
tags: added: regression
Revision history for this message
EvgeniyPatlan (evgeniy-patlan) wrote :

Yes all libraries should be loaded from the mentioned directories and links couldn't be used.
Only t=such configuration is possible, all other configurations are vulnerable.
The exception is also --basedir=/path parameter from mysqld_safe.sh

Revision history for this message
Sveta Smirnova (svetasmirnova) wrote :

Evgeniy,

using /usr/local/mysql as symlink was common usage for years. Why it started to be vulnerable just now? Where is a link to upstream bug, saying their configuration (which support symlinks) is vulnerable?

Laurynas Biveinis (laurynas-biveinis)
Changed in percona-server:
status: Triaged → New
Revision history for this message
EvgeniyPatlan (evgeniy-patlan) wrote :

The issue should be fixed n the upcoming releases.
Here are the PRs:
https://github.com/percona/percona-server/pull/1643
https://github.com/percona/percona-server/pull/1644
https://github.com/percona/percona-server/pull/1645

Revision history for this message
Shahriyar Rzayev (rzayev-sehriyar) wrote :

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-1759

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.