New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/mysql: don't run parts of mysqld.service as root #61589
Conversation
cmdWatchForMysqlSocket = '' | ||
# Wait until the MySQL server is available for use | ||
count=0 | ||
while [ ! -e /run/mysqld/mysqld.sock ] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As stated above, I'm not sure whether this is always /run/mysqld
- it doesn't look like this depends on pidDir
.
Ran the |
3d94576
to
4fbad9d
Compare
Splitted the changes into multiple commits as suggested by @aanderse over IRC. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Aside from running as this as a different user the changes are minimal and for the most part compatible.
LGTM 👍
8a81cf5
to
a51ee8b
Compare
a51ee8b
to
8181d2a
Compare
I did some deeper digging into the remaining As we can simply wait for the mysql socket file to appear too, I dropped pidDir, further simplifying the mysql module. Also added release notes for both changes. |
8181d2a
to
6039dab
Compare
Checked on mariadb-galera server- worked. Thanks. |
We need to keep using `RuntimeDirectory=mysqld`, which translates to `/run/mysqld`, as this is used for the location of the file socket, that could differ with what is configured via `cfg.pidDir`.
6039dab
to
44552dd
Compare
define commands like "waiting for the mysql socket to appear" or "setup initial databases" in a let expression, so the main control flow becomes more readable.
As we don't need to setup data directories from ExecStartPre= scripts anymore, which required root, but use systemd.tmpfiles.rules instead, everything can be run as just the mysql user.
mysql already has its socket path hardcoded to to /run/mysqld/mysqld.sock. There's not much value in making the pidDir configurable, which also points to /run/mysqld by default. We only seem to use `services.mysql.pidDir` in the wordpress startup script, to wait for mysql to boot up, but we can also simply wait on the (hardcoded) socket location too. A much nicer way to accomplish that would be to properly describe a dependency on mysqld.service. This however is not easily doable, due to how the apache-httpd module was designed.
44552dd
to
5ea7a3e
Compare
Rebased on latest master, tests still pass. |
@thorstenweber83 we have a nixos test using |
@thorstenweber83 Yes. The part you missed is that I have been meaning to address the overall issue of an insecure |
@aanderse you're right, I use a postStart script to secure access like mysql_secure_installation does and set up socket authentication for root: systemd.services.mysql.postStart = ''
( echo "ALTER USER root@localhost IDENTIFIED WITH unix_socket;"
echo "ALTER USER root@'127.0.0.1' IDENTIFIED WITH unix_socket;"
echo "ALTER USER root@'::1' IDENTIFIED WITH unix_socket;"
echo "DELETE FROM mysql.user WHERE User=''';"
echo "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');"
echo "DROP DATABASE IF EXISTS test;"
echo "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';"
echo "FLUSH PRIVILEGES;"
) | ${mysql}/bin/mysql -u root -N
''; |
@thorstenweber83 I wouldn't have thought that to make sense as |
@aanderse yeah you're right, this is a bit nonsensical. |
Partial revert. I don't have the time/energy to go any further on this at the moment. Important to get this fixed now, though. See 4243732 for proposal. Note that this is based on #63786 which I'll wait to be merged before going ahead with this. ping @flokli and @thorstenweber83 |
Also don't use
RuntimeDirectory=mysqld
, which translates to/run/mysqld
, which iscfg.pidDir
, but only ifcfg.pidDir
isn't setto something else.
Use
systemd.tmpfiles.rules
to createdataDir
andpidDir
, insteadof relying on the deprecated PermissionsStartOnly=yes [0][1] to setup
filesystem structure.
Also group some of the different steps together for better readability.
Motivation for this change
[0] systemd/systemd#10802
[1] #53852
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)