chmod 2750 on /var/log/mysql

Bug #1657867 reported by Frederic Lebel on 2017-01-19
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mysql-5.7 (Ubuntu)
Medium
Unassigned

Bug Description

The /var/log/mysql from ubuntu 1604 has now the 755 permission with mysql:adm. When we set up the slow log query inside the /var/log/mysql/slow.log, it gets the mysql:mysql user/group instead of having mysql:adm user/group.

Then, the users inside the adm group cannot check inside the log without using root privileges.

Are there any reasons why this has been removed in 1604 : chmod 2750 /var/log/mysql ?

In ubuntu 1404:
flebel@opval-ix:~/tmp/debian-5.5_5.5.54-0ubuntu0.14.04.1$ fgrep -R "logdir" *
mysql-server-5.5.postinst: mysql_logdir=/var/log
mysql-server-5.5.postinst: mysql_newlogdir=/var/log/mysql
mysql-server-5.5.postinst: if [ "$dir" = "DATADIR" ]; then targetdir=$mysql_statedir; else targetdir=$mysql_newlogdir; fi
mysql-server-5.5.postinst: if [ ! -d "$mysql_newlogdir" -a ! -L "$mysql_newlogdir" ]; then mkdir "$mysql_newlogdir"; fi
mysql-server-5.5.postinst: chown -R mysql:adm $mysql_newlogdir; chmod 2750 $mysql_newlogdir;
mysql-server-5.5.postinst: touch $mysql_logdir/mysql.$i
mysql-server-5.5.postinst: chown mysql:adm $mysql_logdir/mysql.$i
mysql-server-5.5.postinst: chmod 0640 $mysql_logdir/mysql.$i

root@a649df1b275a:/var/log# ls -ald mysql/ mysql/*
drwxr-s--- 2 mysql adm 4 Jan 19 18:35 mysql/
-rw-rw---- 1 mysql adm 7541 Jan 19 18:35 mysql/error.log
-rw-rw---- 1 mysql adm 182 Jan 19 18:35 mysql/slow.log
root@a649df1b275a:/var/log# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.3 LTS
Release: 14.04
Codename: trusty

In ubuntu 1604:
flebel@opval-ix:~/tmp/debian-5.7_5.7.17-0ubuntu0.16.04.1$ fgrep -R "logdir" *
mysql-server-5.7.postinst: mysql_logdir=/var/log/mysql
mysql-server-5.7.postinst: for d in $mysql_statedir $mysql_filesdir $mysql_keyringdir $mysql_logdir
mysql-server-5.7.postinst: touch $mysql_logdir/error.log
mysql-server-5.7.postinst: chown -R mysql:adm $mysql_logdir
mysql-server-5.7.postinst: chmod 0750 $mysql_logdir
mysql-server-5.7.postinst: chmod 0640 $mysql_logdir/error.log

root@0c341d710c6f:/var/log# ls -ald mysql/ mysql/*
drwxr-x--- 2 mysql adm 4 Jan 19 18:36 mysql/
-rw-r----- 1 mysql adm 4271 Jan 19 18:36 mysql/error.log
-rw-r----- 1 mysql mysql 182 Jan 19 18:36 mysql/slow.log
root@0c341d710c6f:/var/log# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Codename: xenial

Hi,
thank you for your report and your help to make Ubuntu better.

I came by trying to triage this bug, but since this more or less starts with a question on the reasoning of changes to mysql packaging "Are there any reasons why this has been removed in 1604 : chmod 2750 /var/log/mysql ?" I subscribed a few people who should know better than me and hopefully can provide an answer.

Looking at the Vcs git that is listed I see that the change came in with Debians 5.6.14+dfsg-1.
(https://anonscm.debian.org/git/pkg-mysql/mysql.git)
That means the individual fix is in the past and can't be found in that repo.

But even checking for the past of this in git://anonscm.debian.org/pkg-mysql/mysql-5.6.git this was part of the initial import into git.

I hope that Lars and Robie can help more to explain the reasoning and come to a conclusion.

Robie Basak (racb) on 2017-01-23
Changed in mysql-5.7 (Ubuntu):
importance: Undecided → Medium
Frederic Lebel (flebel) wrote :

The thing is if the logrotate rotates the log file with mysql:adm, it should be the same with default file created in this directory. Especially if we want to use the concept of the group adm in the directory /var/log/mysql for giving privileges to read log files..

This is maybe not a traditionnal bug, but, by design, the mysql service should created file with mysql:adm like the logrotate profile for mysql, and so on.

Lars Tangvald (lars-tangvald) wrote :

Without the change message (which was before my time), this just looks like an oversight to me. If we can't find out why this was done, my suggestion is just changing it back.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers