[debian-mysql] Bug#1022994: TMPDIR behaviour in maintainer scripts [was: Re: Bug#1023778: mysql-server-8.0: fails to restart on upgrade with libpam-tmpdir]

Sunil Mohan Adapa sunil at medhas.org
Sun Nov 13 00:35:10 GMT 2022 

On 11/12/22 14:09, Daniel Black wrote:
> So what Fedora does is a prep script called at StartPre on their
> systemd service.
> https://src.fedoraproject.org/rpms/mariadb/blob/rawhide/f/mariadb-prepare-db-dir.sh
> 
> Which even recently was seen as bloated
> (https://lists.launchpad.net/maria-discuss/msg06376.html).
> 
> What could be done is a oneshot
> (https://www.redhat.com/sysadmin/systemd-oneshot-service) service
> before MariaDB/MySQL that does the installation.
> Either installation or startup triggered.
> 
> At least on TMPDIR side, the systemd side PrivateTmp is default
> (https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp=)
> for at least the oneshot service.
> The option for loading files into MariaDB was the only reason this
> wasn't set in the default MariaDB systemd file.

During today's FreedomBox meet, we have discussed that systemd'd 
PrivateTmp= is a better solution than libpam-tmpdir for FreedomBox at 
least as systemd makes a cleaner mount isolation between processes 
instead of managing directories and permissions.

For this reason, we believe that we can stop using libpam-tmpdir if most 
of the daemons on the system use PrivateTmp=yes. For a while now, 
FreedomBox has been forcefully adding systemd security features to 
daemons that don't enable them. Without upstream blessing, we can only 
do this for smaller applications than something like MariaDB/MySQL due 
the testing effort needed.

> 
> How User= systemd directives work with lbpam-tmpdir I'm not sure,
> however without a setuid there shouldn't be an invalid TMPDIR env
> variable there.

libpam-tmpdir does not seem to effect systemd's process execution. See 
the following session on system with libpam-tmpdir installed:

$ sudo --user mysql /usr/bin/bash -c 'echo TMPDIR=$TMPDIR'
TMPDIR=/tmp/user/119

$ sudo systemd-run --pipe --uid=mysql /usr/bin/bash -c 'echo TMPDIR=$TMPDIR'
Running as unit: run-u30.service
TMPDIR=

$ sudo systemd-run --pipe --property=PrivateTmp=yes --uid=mysql 
/usr/bin/bash -c 'echo TMPDIR=$TMPDIR'
Running as unit: run-u31.service
TMPDIR=

-- 
Sunil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x36C361440C9BC971.asc
Type: application/pgp-keys
Size: 19153 bytes
Desc: OpenPGP public key
URL: <http://alioth-lists.debian.net/pipermail/pkg-mysql-maint/attachments/20221112/2ac27b95/attachment-0003.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-mysql-maint/attachments/20221112/2ac27b95/attachment-0003.sig>

More information about the pkg-mysql-maint mailing list