Commit 7cb79a65 authored by Arun Kuruvila's avatar Arun Kuruvila Committed by Nawaz Nazeer Ahamed

Bug#24707666: DEFAULT SETTING FOR SECURE-FILE-PRIV SHOULD BE

              RESTRICTED IN ALL GA RELEASES

Back port of WL#6782 to 5.5 and 5.6. This also includes
back port of Bug#20771331, Bug#20741572 and Bug#20770671.
Bug#24695274 and Bug#24679907 are also handled along with
this.
parent 7679f5f6
# Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved. # Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved.
# #
# This program is free software; you can redistribute it and/or modify # This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by # it under the terms of the GNU General Public License as published by
...@@ -22,7 +22,7 @@ ...@@ -22,7 +22,7 @@
# and relative links. Windows zip uses the same tarball layout but without # and relative links. Windows zip uses the same tarball layout but without
# the build prefix. # the build prefix.
# #
# RPM # RPM, SLES
# Build as per default RPM layout, with prefix=/usr # Build as per default RPM layout, with prefix=/usr
# Note: The layout for ULN RPMs differs, see the "RPM" section. # Note: The layout for ULN RPMs differs, see the "RPM" section.
# #
...@@ -32,10 +32,22 @@ ...@@ -32,10 +32,22 @@
# SVR4 # SVR4
# Solaris package layout suitable for pkg* tools, prefix=/opt/mysql/mysql # Solaris package layout suitable for pkg* tools, prefix=/opt/mysql/mysql
# #
# FREEBSD, GLIBC, OSX, TARGZ
# Build with prefix=/usr/local/mysql, create tarball with install prefix="."
# and relative links.
#
# WIN
# Windows zip : same as tarball layout but without the build prefix
#
# To force a directory layout, use -DINSTALL_LAYOUT=<layout>. # To force a directory layout, use -DINSTALL_LAYOUT=<layout>.
# #
# The default is STANDALONE. # The default is STANDALONE.
# #
# Note : At present, RPM and SLES layouts are similar. This is also true
# for layouts like FREEBSD, GLIBC, OSX, TARGZ. However, they provide
# opportunity to fine-tune deployment for each platform without
# affecting all other types of deployment.
#
# There is the possibility to further fine-tune installation directories. # There is the possibility to further fine-tune installation directories.
# Several variables can be overwritten: # Several variables can be overwritten:
# #
...@@ -60,6 +72,7 @@ ...@@ -60,6 +72,7 @@
# - INSTALL_SUPPORTFILESDIR (various extra support files) # - INSTALL_SUPPORTFILESDIR (various extra support files)
# #
# - INSTALL_MYSQLDATADIR (data directory) # - INSTALL_MYSQLDATADIR (data directory)
# - INSTALL_SECURE_FILE_PRIVDIR (--secure-file-priv directory)
# #
# When changing this page, _please_ do not forget to update public Wiki # When changing this page, _please_ do not forget to update public Wiki
# http://forge.mysql.com/wiki/CMake#Fine-tuning_installation_paths # http://forge.mysql.com/wiki/CMake#Fine-tuning_installation_paths
...@@ -69,10 +82,11 @@ IF(NOT INSTALL_LAYOUT) ...@@ -69,10 +82,11 @@ IF(NOT INSTALL_LAYOUT)
ENDIF() ENDIF()
SET(INSTALL_LAYOUT "${DEFAULT_INSTALL_LAYOUT}" SET(INSTALL_LAYOUT "${DEFAULT_INSTALL_LAYOUT}"
CACHE STRING "Installation directory layout. Options are: STANDALONE (as in zip or tar.gz installer), RPM, DEB, SVR4") CACHE STRING "Installation directory layout. Options are: TARGZ (as in tar.gz installer), WIN (as in zip installer), STANDALONE, RPM, DEB, SVR4, FREEBSD, GLIBC, OSX, SLES")
IF(UNIX) IF(UNIX)
IF(INSTALL_LAYOUT MATCHES "RPM") IF(INSTALL_LAYOUT MATCHES "RPM" OR
INSTALL_LAYOUT MATCHES "SLES")
SET(default_prefix "/usr") SET(default_prefix "/usr")
ELSEIF(INSTALL_LAYOUT MATCHES "DEB") ELSEIF(INSTALL_LAYOUT MATCHES "DEB")
SET(default_prefix "/opt/mysql/server-${MYSQL_BASE_VERSION}") SET(default_prefix "/opt/mysql/server-${MYSQL_BASE_VERSION}")
...@@ -87,7 +101,7 @@ IF(UNIX) ...@@ -87,7 +101,7 @@ IF(UNIX)
SET(CMAKE_INSTALL_PREFIX ${default_prefix} SET(CMAKE_INSTALL_PREFIX ${default_prefix}
CACHE PATH "install prefix" FORCE) CACHE PATH "install prefix" FORCE)
ENDIF() ENDIF()
SET(VALID_INSTALL_LAYOUTS "RPM" "STANDALONE" "DEB" "SVR4") SET(VALID_INSTALL_LAYOUTS "RPM" "DEB" "SVR4" "FREEBSD" "GLIBC" "OSX" "TARGZ" "SLES" "STANDALONE")
LIST(FIND VALID_INSTALL_LAYOUTS "${INSTALL_LAYOUT}" ind) LIST(FIND VALID_INSTALL_LAYOUTS "${INSTALL_LAYOUT}" ind)
IF(ind EQUAL -1) IF(ind EQUAL -1)
MESSAGE(FATAL_ERROR "Invalid INSTALL_LAYOUT parameter:${INSTALL_LAYOUT}." MESSAGE(FATAL_ERROR "Invalid INSTALL_LAYOUT parameter:${INSTALL_LAYOUT}."
...@@ -99,6 +113,15 @@ IF(UNIX) ...@@ -99,6 +113,15 @@ IF(UNIX)
MARK_AS_ADVANCED(SYSCONFDIR) MARK_AS_ADVANCED(SYSCONFDIR)
ENDIF() ENDIF()
IF(WIN32)
SET(VALID_INSTALL_LAYOUTS "TARGZ" "STANDALONE" "WIN")
LIST(FIND VALID_INSTALL_LAYOUTS "${INSTALL_LAYOUT}" ind)
IF(ind EQUAL -1)
MESSAGE(FATAL_ERROR "Invalid INSTALL_LAYOUT parameter:${INSTALL_LAYOUT}."
" Choose between ${VALID_INSTALL_LAYOUTS}" )
ENDIF()
ENDIF()
# #
# plugin_tests's value should not be used by imported plugins, # plugin_tests's value should not be used by imported plugins,
# just use if(INSTALL_PLUGINTESTDIR). # just use if(INSTALL_PLUGINTESTDIR).
...@@ -109,6 +132,22 @@ FILE(GLOB plugin_tests ...@@ -109,6 +132,22 @@ FILE(GLOB plugin_tests
${CMAKE_SOURCE_DIR}/internal/plugin/*/tests ${CMAKE_SOURCE_DIR}/internal/plugin/*/tests
) )
#
# DEFAULT_SECURE_FILE_PRIV_DIR/DEFAULT_SECURE_FILE_PRIV_EMBEDDED_DIR
#
IF(INSTALL_LAYOUT MATCHES "STANDALONE" OR
INSTALL_LAYOUT MATCHES "WIN")
SET(secure_file_priv_path "NULL")
ELSEIF(INSTALL_LAYOUT MATCHES "RPM" OR
INSTALL_LAYOUT MATCHES "SLES" OR
INSTALL_LAYOUT MATCHES "SVR4" OR
INSTALL_LAYOUT MATCHES "DEB")
SET(secure_file_priv_path "/var/lib/mysql-files")
ELSE()
SET(secure_file_priv_path "${default_prefix}/mysql-files")
ENDIF()
SET(secure_file_priv_embedded_path "NULL")
# #
# STANDALONE layout # STANDALONE layout
# #
...@@ -134,6 +173,148 @@ SET(INSTALL_SUPPORTFILESDIR_STANDALONE "support-files") ...@@ -134,6 +173,148 @@ SET(INSTALL_SUPPORTFILESDIR_STANDALONE "support-files")
# #
SET(INSTALL_MYSQLDATADIR_STANDALONE "data") SET(INSTALL_MYSQLDATADIR_STANDALONE "data")
SET(INSTALL_PLUGINTESTDIR_STANDALONE ${plugin_tests}) SET(INSTALL_PLUGINTESTDIR_STANDALONE ${plugin_tests})
SET(INSTALL_SECURE_FILE_PRIVDIR_STANDALONE ${secure_file_priv_path})
SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_STANDALONE ${secure_file_priv_embedded_path})
#
# WIN layout
#
SET(INSTALL_BINDIR_WIN "bin")
SET(INSTALL_SBINDIR_WIN "bin")
SET(INSTALL_SCRIPTDIR_WIN "scripts")
#
SET(INSTALL_LIBDIR_WIN "lib")
SET(INSTALL_PLUGINDIR_WIN "lib/plugin")
#
SET(INSTALL_INCLUDEDIR_WIN "include")
#
SET(INSTALL_DOCDIR_WIN "docs")
SET(INSTALL_DOCREADMEDIR_WIN ".")
SET(INSTALL_MANDIR_WIN "man")
SET(INSTALL_INFODIR_WIN "docs")
#
SET(INSTALL_SHAREDIR_WIN "share")
SET(INSTALL_MYSQLSHAREDIR_WIN "share")
SET(INSTALL_MYSQLTESTDIR_WIN "mysql-test")
SET(INSTALL_SQLBENCHDIR_WIN ".")
SET(INSTALL_SUPPORTFILESDIR_WIN "support-files")
#
SET(INSTALL_MYSQLDATADIR_WIN "data")
SET(INSTALL_PLUGINTESTDIR_WIN ${plugin_tests})
SET(INSTALL_SECURE_FILE_PRIVDIR_WIN ${secure_file_priv_path})
SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_WIN ${secure_file_priv_embedded_path})
#
# FREEBSD layout
#
SET(INSTALL_BINDIR_FREEBSD "bin")
SET(INSTALL_SBINDIR_FREEBSD "bin")
SET(INSTALL_SCRIPTDIR_FREEBSD "scripts")
#
SET(INSTALL_LIBDIR_FREEBSD "lib")
SET(INSTALL_PLUGINDIR_FREEBSD "lib/plugin")
#
SET(INSTALL_INCLUDEDIR_FREEBSD "include")
#
SET(INSTALL_DOCDIR_FREEBSD "docs")
SET(INSTALL_DOCREADMEDIR_FREEBSD ".")
SET(INSTALL_MANDIR_FREEBSD "man")
SET(INSTALL_INFODIR_FREEBSD "docs")
#
SET(INSTALL_SHAREDIR_FREEBSD "share")
SET(INSTALL_MYSQLSHAREDIR_FREEBSD "share")
SET(INSTALL_MYSQLTESTDIR_FREEBSD "mysql-test")
SET(INSTALL_SQLBENCHDIR_FREEBSD ".")
SET(INSTALL_SUPPORTFILESDIR_FREEBSD "support-files")
#
SET(INSTALL_MYSQLDATADIR_FREEBSD "data")
SET(INSTALL_PLUGINTESTDIR_FREEBSD ${plugin_tests})
SET(INSTALL_SECURE_FILE_PRIVDIR_FREEBSD ${secure_file_priv_path})
SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_FREEBSD ${secure_file_priv_embedded_path})
#
# GLIBC layout
#
SET(INSTALL_BINDIR_GLIBC "bin")
SET(INSTALL_SBINDIR_GLIBC "bin")
SET(INSTALL_SCRIPTDIR_GLIBC "scripts")
#
SET(INSTALL_LIBDIR_GLIBC "lib")
SET(INSTALL_PLUGINDIR_GLIBC "lib/plugin")
#
SET(INSTALL_INCLUDEDIR_GLIBC "include")
#
SET(INSTALL_DOCDIR_GLIBC "docs")
SET(INSTALL_DOCREADMEDIR_GLIBC ".")
SET(INSTALL_MANDIR_GLIBC "man")
SET(INSTALL_INFODIR_GLIBC "docs")
#
SET(INSTALL_SHAREDIR_GLIBC "share")
SET(INSTALL_MYSQLSHAREDIR_GLIBC "share")
SET(INSTALL_MYSQLTESTDIR_GLIBC "mysql-test")
SET(INSTALL_SQLBENCHDIR_GLIBC ".")
SET(INSTALL_SUPPORTFILESDIR_GLIBC "support-files")
#
SET(INSTALL_MYSQLDATADIR_GLIBC "data")
SET(INSTALL_PLUGINTESTDIR_GLIBC ${plugin_tests})
SET(INSTALL_SECURE_FILE_PRIVDIR_GLIBC ${secure_file_priv_path})
SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_GLIBC ${secure_file_priv_embedded_path})
#
# OSX layout
#
SET(INSTALL_BINDIR_OSX "bin")
SET(INSTALL_SBINDIR_OSX "bin")
SET(INSTALL_SCRIPTDIR_OSX "scripts")
#
SET(INSTALL_LIBDIR_OSX "lib")
SET(INSTALL_PLUGINDIR_OSX "lib/plugin")
#
SET(INSTALL_INCLUDEDIR_OSX "include")
#
SET(INSTALL_DOCDIR_OSX "docs")
SET(INSTALL_DOCREADMEDIR_OSX ".")
SET(INSTALL_MANDIR_OSX "man")
SET(INSTALL_INFODIR_OSX "docs")
#
SET(INSTALL_SHAREDIR_OSX "share")
SET(INSTALL_MYSQLSHAREDIR_OSX "share")
SET(INSTALL_MYSQLTESTDIR_OSX "mysql-test")
SET(INSTALL_SQLBENCHDIR_OSX ".")
SET(INSTALL_SUPPORTFILESDIR_OSX "support-files")
#
SET(INSTALL_MYSQLDATADIR_OSX "data")
SET(INSTALL_PLUGINTESTDIR_OSX ${plugin_tests})
SET(INSTALL_SECURE_FILE_PRIVDIR_OSX ${secure_file_priv_path})
SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_OSX ${secure_file_priv_embedded_path})
#
# TARGZ layout
#
SET(INSTALL_BINDIR_TARGZ "bin")
SET(INSTALL_SBINDIR_TARGZ "bin")
SET(INSTALL_SCRIPTDIR_TARGZ "scripts")
#
SET(INSTALL_LIBDIR_TARGZ "lib")
SET(INSTALL_PLUGINDIR_TARGZ "lib/plugin")
#
SET(INSTALL_INCLUDEDIR_TARGZ "include")
#
SET(INSTALL_DOCDIR_TARGZ "docs")
SET(INSTALL_DOCREADMEDIR_TARGZ ".")
SET(INSTALL_MANDIR_TARGZ "man")
SET(INSTALL_INFODIR_TARGZ "docs")
#
SET(INSTALL_SHAREDIR_TARGZ "share")
SET(INSTALL_MYSQLSHAREDIR_TARGZ "share")
SET(INSTALL_MYSQLTESTDIR_TARGZ "mysql-test")
SET(INSTALL_SQLBENCHDIR_TARGZ ".")
SET(INSTALL_SUPPORTFILESDIR_TARGZ "support-files")
#
SET(INSTALL_MYSQLDATADIR_TARGZ "data")
SET(INSTALL_PLUGINTESTDIR_TARGZ ${plugin_tests})
SET(INSTALL_SECURE_FILE_PRIVDIR_TARGZ ${secure_file_priv_path})
SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_TARGZ ${secure_file_priv_embedded_path})
# #
# RPM layout # RPM layout
...@@ -169,6 +350,41 @@ SET(INSTALL_SUPPORTFILESDIR_RPM "share/mysql") ...@@ -169,6 +350,41 @@ SET(INSTALL_SUPPORTFILESDIR_RPM "share/mysql")
# #
SET(INSTALL_MYSQLDATADIR_RPM "/var/lib/mysql") SET(INSTALL_MYSQLDATADIR_RPM "/var/lib/mysql")
SET(INSTALL_PLUGINTESTDIR_RPM ${plugin_tests}) SET(INSTALL_PLUGINTESTDIR_RPM ${plugin_tests})
SET(INSTALL_SECURE_FILE_PRIVDIR_RPM ${secure_file_priv_path})
SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_RPM ${secure_file_priv_embedded_path})
#
# SLES layout
#
SET(INSTALL_BINDIR_SLES "bin")
SET(INSTALL_SBINDIR_SLES "sbin")
SET(INSTALL_SCRIPTDIR_SLES "bin")
#
IF(CMAKE_SYSTEM_PROCESSOR MATCHES "x86_64")
SET(INSTALL_LIBDIR_SLES "lib64")
SET(INSTALL_PLUGINDIR_SLES "lib64/mysql/plugin")
ELSE()
SET(INSTALL_LIBDIR_SLES "lib")
SET(INSTALL_PLUGINDIR_SLES "lib/mysql/plugin")
ENDIF()
#
SET(INSTALL_INCLUDEDIR_SLES "include/mysql")
#
#SET(INSTALL_DOCDIR_SLES unset - installed directly by SLES)
#SET(INSTALL_DOCREADMEDIR_SLES unset - installed directly by SLES)
SET(INSTALL_INFODIR_SLES "share/info")
SET(INSTALL_MANDIR_SLES "share/man")
#
SET(INSTALL_SHAREDIR_SLES "share")
SET(INSTALL_MYSQLSHAREDIR_SLES "share/mysql")
SET(INSTALL_MYSQLTESTDIR_SLES "share/mysql-test")
SET(INSTALL_SQLBENCHDIR_SLES "")
SET(INSTALL_SUPPORTFILESDIR_SLES "share/mysql")
#
SET(INSTALL_MYSQLDATADIR_SLES "/var/lib/mysql")
SET(INSTALL_PLUGINTESTDIR_SLES ${plugin_tests})
SET(INSTALL_SECURE_FILE_PRIVDIR_SLES ${secure_file_priv_path})
SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_SLES ${secure_file_priv_embedded_path})
# #
# DEB layout # DEB layout
...@@ -193,8 +409,10 @@ SET(INSTALL_MYSQLTESTDIR_DEB "mysql-test") ...@@ -193,8 +409,10 @@ SET(INSTALL_MYSQLTESTDIR_DEB "mysql-test")
SET(INSTALL_SQLBENCHDIR_DEB ".") SET(INSTALL_SQLBENCHDIR_DEB ".")
SET(INSTALL_SUPPORTFILESDIR_DEB "support-files") SET(INSTALL_SUPPORTFILESDIR_DEB "support-files")
# #
SET(INSTALL_MYSQLDATADIR_DEB "data") SET(INSTALL_MYSQLDATADIR_DEB "/var/lib/mysql")
SET(INSTALL_PLUGINTESTDIR_DEB ${plugin_tests}) SET(INSTALL_PLUGINTESTDIR_DEB ${plugin_tests})
SET(INSTALL_SECURE_FILE_PRIVDIR_DEB ${secure_file_priv_path})
SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_DEB ${secure_file_priv_embedded_path})
# #
# SVR4 layout # SVR4 layout
...@@ -221,7 +439,8 @@ SET(INSTALL_SUPPORTFILESDIR_SVR4 "support-files") ...@@ -221,7 +439,8 @@ SET(INSTALL_SUPPORTFILESDIR_SVR4 "support-files")
# #
SET(INSTALL_MYSQLDATADIR_SVR4 "/var/lib/mysql") SET(INSTALL_MYSQLDATADIR_SVR4 "/var/lib/mysql")
SET(INSTALL_PLUGINTESTDIR_SVR4 ${plugin_tests}) SET(INSTALL_PLUGINTESTDIR_SVR4 ${plugin_tests})
SET(INSTALL_SECURE_FILE_PRIVDIR_SVR4 ${secure_file_priv_path})
SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_SVR4 ${secure_file_priv_embedded_path})
# Clear cached variables if install layout was changed # Clear cached variables if install layout was changed
IF(OLD_INSTALL_LAYOUT) IF(OLD_INSTALL_LAYOUT)
...@@ -235,8 +454,29 @@ SET(OLD_INSTALL_LAYOUT ${INSTALL_LAYOUT} CACHE INTERNAL "") ...@@ -235,8 +454,29 @@ SET(OLD_INSTALL_LAYOUT ${INSTALL_LAYOUT} CACHE INTERNAL "")
# will be defined as ${INSTALL_BINDIR_STANDALONE} by default if STANDALONE # will be defined as ${INSTALL_BINDIR_STANDALONE} by default if STANDALONE
# layout is chosen) # layout is chosen)
FOREACH(var BIN SBIN LIB MYSQLSHARE SHARE PLUGIN INCLUDE SCRIPT DOC MAN FOREACH(var BIN SBIN LIB MYSQLSHARE SHARE PLUGIN INCLUDE SCRIPT DOC MAN
INFO MYSQLTEST SQLBENCH DOCREADME SUPPORTFILES MYSQLDATA PLUGINTEST) INFO MYSQLTEST SQLBENCH DOCREADME SUPPORTFILES MYSQLDATA PLUGINTEST
SECURE_FILE_PRIV SECURE_FILE_PRIV_EMBEDDED)
SET(INSTALL_${var}DIR ${INSTALL_${var}DIR_${INSTALL_LAYOUT}} SET(INSTALL_${var}DIR ${INSTALL_${var}DIR_${INSTALL_LAYOUT}}
CACHE STRING "${var} installation directory" ${FORCE}) CACHE STRING "${var} installation directory" ${FORCE})
MARK_AS_ADVANCED(INSTALL_${var}DIR) MARK_AS_ADVANCED(INSTALL_${var}DIR)
ENDFOREACH() ENDFOREACH()
#
# Set DEFAULT_SECURE_FILE_PRIV_DIR
# This is used as default value for --secure-file-priv
#
IF(INSTALL_SECURE_FILE_PRIVDIR)
SET(DEFAULT_SECURE_FILE_PRIV_DIR "\"${INSTALL_SECURE_FILE_PRIVDIR}\""
CACHE INTERNAL "default --secure-file-priv directory" FORCE)
ELSE()
SET(DEFAULT_SECURE_FILE_PRIV_DIR \"\"
CACHE INTERNAL "default --secure-file-priv directory" FORCE)
ENDIF()
IF(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR)
SET(DEFAULT_SECURE_FILE_PRIV_EMBEDDED_DIR "\"${INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR}\""
CACHE INTERNAL "default --secure-file-priv directory (for embedded library)" FORCE)
ELSE()
SET(DEFAULT_SECURE_FILE_PRIV_EMBEDDED_DIR "NULL"
CACHE INTERNAL "default --secure-file-priv directory (for embedded library)" FORCE)
ENDIF()
...@@ -624,4 +624,8 @@ ...@@ -624,4 +624,8 @@
#cmakedefine SIZEOF_TIME_T @SIZEOF_TIME_T@ #cmakedefine SIZEOF_TIME_T @SIZEOF_TIME_T@
#cmakedefine TIME_T_UNSIGNED @TIME_T_UNSIGNED@ #cmakedefine TIME_T_UNSIGNED @TIME_T_UNSIGNED@
/* For --secure-file-priv */
#cmakedefine DEFAULT_SECURE_FILE_PRIV_DIR @DEFAULT_SECURE_FILE_PRIV_DIR@
#cmakedefine DEFAULT_SECURE_FILE_PRIV_EMBEDDED_DIR @DEFAULT_SECURE_FILE_PRIV_EMBEDDED_DIR@
#endif #endif
-- Copyright (c) 2008, 2011, Oracle and/or its affiliates. All rights reserved. -- Copyright (c) 2008, 2016, Oracle and/or its affiliates. All rights reserved.
-- --
-- This program is free software; you can redistribute it and/or modify -- This program is free software; you can redistribute it and/or modify
-- it under the terms of the GNU General Public License as published by -- it under the terms of the GNU General Public License as published by
...@@ -204,6 +204,11 @@ INSERT INTO global_suppressions VALUES ...@@ -204,6 +204,11 @@ INSERT INTO global_suppressions VALUES
*/ */
("Found lock of type 6 that is write and read locked"), ("Found lock of type 6 that is write and read locked"),
/*
Warnings related to --secure-file-priv
*/
("Insecure configuration for --secure-file-priv:*"),
("THE_LAST_SUPPRESSION")|| ("THE_LAST_SUPPRESSION")||
......
...@@ -18,7 +18,8 @@ perl; ...@@ -18,7 +18,8 @@ perl;
# their paths may vary: # their paths may vary:
@skipvars=qw/basedir open-files-limit general-log-file log plugin-dir @skipvars=qw/basedir open-files-limit general-log-file log plugin-dir
log-slow-queries pid-file slow-query-log-file log-slow-queries pid-file slow-query-log-file
datadir slave-load-tmpdir tmpdir socket/; datadir slave-load-tmpdir tmpdir socket
secure-file-priv/;
# Plugins which may or may not be there: # Plugins which may or may not be there:
@plugins=qw/innodb ndb archive blackhole federated partition ndbcluster debug temp-pool ssl des-key-file @plugins=qw/innodb ndb archive blackhole federated partition ndbcluster debug temp-pool ssl des-key-file
......
#!/usr/bin/perl #!/usr/bin/perl
# -*- cperl -*- # -*- cperl -*-
# Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved. # Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
# #
# This program is free software; you can redistribute it and/or modify # This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by # it under the terms of the GNU General Public License as published by
...@@ -1823,6 +1823,7 @@ sub collect_mysqld_features { ...@@ -1823,6 +1823,7 @@ sub collect_mysqld_features {
mtr_init_args(\$args); mtr_init_args(\$args);
mtr_add_arg($args, "--no-defaults"); mtr_add_arg($args, "--no-defaults");
mtr_add_arg($args, "--datadir=%s", mixed_path($tmpdir)); mtr_add_arg($args, "--datadir=%s", mixed_path($tmpdir));
mtr_add_arg($args, "--secure-file-priv=\"\"");
mtr_add_arg($args, "--lc-messages-dir=%s", $path_language); mtr_add_arg($args, "--lc-messages-dir=%s", $path_language);
mtr_add_arg($args, "--skip-grant-tables"); mtr_add_arg($args, "--skip-grant-tables");
mtr_add_arg($args, "--verbose"); mtr_add_arg($args, "--verbose");
...@@ -3297,6 +3298,7 @@ sub mysql_install_db { ...@@ -3297,6 +3298,7 @@ sub mysql_install_db {
mtr_add_arg($args, "--loose-skip-falcon"); mtr_add_arg($args, "--loose-skip-falcon");
mtr_add_arg($args, "--loose-skip-ndbcluster"); mtr_add_arg($args, "--loose-skip-ndbcluster");
mtr_add_arg($args, "--tmpdir=%s", "$opt_vardir/tmp/"); mtr_add_arg($args, "--tmpdir=%s", "$opt_vardir/tmp/");
mtr_add_arg($args, "--secure-file-priv=%s", "$opt_vardir");
mtr_add_arg($args, "--core-file"); mtr_add_arg($args, "--core-file");
if ( $opt_debug ) if ( $opt_debug )
......
...@@ -923,7 +923,6 @@ report-user (No default value) ...@@ -923,7 +923,6 @@ report-user (No default value)
rpl-recovery-rank 0 rpl-recovery-rank 0
safe-user-create FALSE safe-user-create FALSE
secure-auth FALSE secure-auth FALSE
secure-file-priv (No default value)
server-id 0 server-id 0
show-slave-auth-info FALSE show-slave-auth-info FALSE
skip-grant-tables TRUE skip-grant-tables TRUE
......
...@@ -931,7 +931,6 @@ report-user (No default value) ...@@ -931,7 +931,6 @@ report-user (No default value)
rpl-recovery-rank 0 rpl-recovery-rank 0
safe-user-create FALSE safe-user-create FALSE
secure-auth FALSE secure-auth FALSE
secure-file-priv (No default value)
server-id 0 server-id 0
shared-memory FALSE shared-memory FALSE
shared-memory-base-name MYSQL shared-memory-base-name MYSQL
......
#-----------------------------------------------------------------------
# Setup
# Try to restart server with invalid value for --secure-file-priv
# Search for : Failed to access directory for --secure-file-priv.
# Restart completed.
# Restart
#-----------------------------------------------------------------------
#-----------------------------------------------------------------------
# Setup
#-----------------------------------------------------------------------
# Search for : --secure-file-priv is set to NULL. Operations
# related to importing and exporting data are
# disabled
show variables like 'secure_file_priv';
Variable_name Value
secure_file_priv null
use test;
drop table if exists secure_file_priv_test_null;
create table secure_file_priv_test_null(c1 int);
insert into secure_file_priv_test_null values (1), (2), (3), (4);
select * from secure_file_priv_test_null into outfile 'blah';
ERROR HY000: The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
select * from secure_file_priv_test_null into outfile 'null/blah';
ERROR HY000: The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
drop table secure_file_priv_test_null;
#-----------------------------------------------------------------------
# Clean-up
#-----------------------------------------------------------------------
#-----------------------------------------------------------------------
# Setup
#-----------------------------------------------------------------------
# Search for : Insecure configuration for --secure-file-priv: Current
# value does not restrict location of generated files.
# Consider setting it to a valid, non-empty path.
SHOW VARIABLES LIKE 'secure_file_priv';
Variable_name Value
secure_file_priv
#-----------------------------------------------------------------------
# Restart completed.
# Search for : Insecure configuration for --secure-file-priv: Plugin
# directory is accessible through --secure-file-priv.
# Consider choosing a different directory.
#-----------------------------------------------------------------------
# Clean-up
#-----------------------------------------------------------------------
#-----------------------------------------------------------------------
# Search for : Insecure configuration for --secure-file-priv: Data
# directory is accessible through --secure-file-priv.
# Consider choosing a different directory.
#-----------------------------------------------------------------------
# Search for : Insecure configuration for --secure-file-priv: Location
# is accessible to all OS users. Consider choosing a
# different directory.
#-----------------------------------------------------------------------
#-----------------------------------------------------------------------
# Test 2 : Restarting mysqld with :
# --secure-file-priv=MYSQLTEST_VARDIR/mysqld.1/Data
# Restart completed.
# Search for : Insecure configuration for --secure-file-priv: Data
# directory is accessible through --secure-file-priv.
# Consider choosing a different directory.
#-----------------------------------------------------------------------
--source include/no_valgrind_without_big.inc
--source include/not_embedded.inc
--echo #-----------------------------------------------------------------------
--echo # Setup
let restart_log= $MYSQLTEST_VARDIR/log/my_restart.err;
let SEARCH_FILE= $restart_log;
let $restart_file= $MYSQLTEST_VARDIR/tmp/mysqld.1.expect;
--echo # Try to restart server with invalid value for --secure-file-priv
--exec echo "wait" > $restart_file
--shutdown_server
--source include/wait_until_disconnected.inc
--error 0,1
--remove_file $restart_log
# Following should fail
--error 1
--exec $MYSQLD_CMD --secure-file-priv=blahblahblah --loose-console > $restart_log 2>&1
--echo # Search for : Failed to access directory for --secure-file-priv.
let SEARCH_PATTERN= Failed to access directory for --secure-file-priv;
--source include/search_pattern_in_file.inc
--remove_file $restart_log
--source include/wait_until_disconnected.inc
# Dummy argument for restart
--exec echo "restart:" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--enable_reconnect
--source include/wait_until_connected_again.inc
--disable_reconnect
--echo # Restart completed.
--echo # Restart
--disable_warnings
--source include/force_restart.inc
--enable_warnings
--echo #-----------------------------------------------------------------------
--source include/no_valgrind_without_big.inc
--source include/not_embedded.inc
--echo #-----------------------------------------------------------------------
--echo # Setup
let server_log= $MYSQLTEST_VARDIR/log/mysqld.1.err;
let SEARCH_FILE= $server_log;
let $restart_file= $MYSQLTEST_VARDIR/tmp/mysqld.1.expect;
--echo #-----------------------------------------------------------------------
--echo # Search for : --secure-file-priv is set to NULL. Operations
--echo # related to importing and exporting data are
--echo # disabled
let SEARCH_PATTERN= --secure-file-priv is set to NULL. Operations related to importing and exporting data are disabled;
--source include/search_pattern_in_file.inc
connect(test4_con,localhost,root,,,,,);
show variables like 'secure_file_priv';
use test;
--disable_warnings
drop table if exists secure_file_priv_test_null;
--enable_warnings
create table secure_file_priv_test_null(c1 int);
insert into secure_file_priv_test_null values (1), (2), (3), (4);
--error 1290
select * from secure_file_priv_test_null into outfile 'blah';
--error 1290
select * from secure_file_priv_test_null into outfile 'null/blah';
drop table secure_file_priv_test_null;
connection default;
disconnect test4_con;
--echo #-----------------------------------------------------------------------
--echo # Clean-up
--disable_warnings
--source include/force_restart.inc
--enable_warnings
--echo #-----------------------------------------------------------------------
--source include/no_valgrind_without_big.inc
--source include/not_embedded.inc
--echo #-----------------------------------------------------------------------
--echo # Setup
let server_log= $MYSQLTEST_VARDIR/log/mysqld.1.err;
let SEARCH_FILE= $server_log;
let $restart_file= $MYSQLTEST_VARDIR/tmp/mysqld.1.expect;
let PLUGIN_DIR= $MYSQLTEST_VARDIR/tmp;
--echo #-----------------------------------------------------------------------
--echo # Search for : Insecure configuration for --secure-file-priv: Current
--echo # value does not restrict location of generated files.
--echo # Consider setting it to a valid, non-empty path.
let SEARCH_PATTERN= Insecure configuration for --secure-file-priv: Current value does not restrict location of generated files. Consider setting it to a valid, non-empty path.;
--source include/search_pattern_in_file.inc
# Must show empty string
SHOW VARIABLES LIKE 'secure_file_priv';
--echo #-----------------------------------------------------------------------
let $restart_file= $MYSQLTEST_VARDIR/tmp/mysqld.1.expect;
--exec echo "wait" > $restart_file
--shutdown_server
--source include/wait_until_disconnected.inc
--remove_file $server_log
--exec echo "restart:--plugin-dir=$PLUGIN_DIR --secure-file-priv=$PLUGIN_DIR" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--enable_reconnect
--source include/wait_until_connected_again.inc
--disable_reconnect
--echo # Restart completed.
--echo # Search for : Insecure configuration for --secure-file-priv: Plugin
--echo # directory is accessible through --secure-file-priv.
--echo # Consider choosing a different directory.
let SEARCH_PATTERN= Insecure configuration for --secure-file-priv: Plugin directory is accessible through --secure-file-priv. Consider choosing a different directory.;
--source include/search_pattern_in_file.inc
--echo #-----------------------------------------------------------------------
--echo # Clean-up
--disable_warnings
--source include/force_restart.inc
--enable_warnings
--echo #-----------------------------------------------------------------------
--source include/no_valgrind_without_big.inc
--source include/not_windows.inc
--source include/not_embedded.inc
let server_log= $MYSQLTEST_VARDIR/log/mysqld.1.err;
let SEARCH_FILE= $server_log;
--echo #-----------------------------------------------------------------------
--echo # Search for : Insecure configuration for --secure-file-priv: Data
--echo # directory is accessible through --secure-file-priv.
--echo # Consider choosing a different directory.
let SEARCH_PATTERN= Insecure configuration for --secure-file-priv: Data directory is accessible through --secure-file-priv. Consider choosing a different directory.;
--source include/search_pattern_in_file.inc
--echo #-----------------------------------------------------------------------
--echo # Search for : Insecure configuration for --secure-file-priv: Location
--echo # is accessible to all OS users. Consider choosing a
--echo # different directory.
let SEARCH_PATTERN= Insecure configuration for --secure-file-priv: Location is accessible to all OS users. Consider choosing a different directory.;
--source include/search_pattern_in_file.inc
--echo #-----------------------------------------------------------------------
--source include/no_valgrind_without_big.inc
--source include/windows.inc
--source include/not_embedded.inc
let server_log= $MYSQLTEST_VARDIR/log/mysqld.1.err;
let SEARCH_FILE= $server_log;
--echo #-----------------------------------------------------------------------
--echo # Test 2 : Restarting mysqld with :
--echo # --secure-file-priv=MYSQLTEST_VARDIR/mysqld.1/Data
let $restart_file= $MYSQLTEST_VARDIR/tmp/mysqld.1.expect;
--exec echo "wait" > $restart_file
--shutdown_server
--source include/wait_until_disconnected.inc
--error 0,1
--remove_file $server_log
--exec echo "restart: --secure-file-priv=$MYSQLTEST_VARDIR/mysqld.1/Data" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--enable_reconnect
--source include/wait_until_connected_again.inc
--disable_reconnect
--echo # Restart completed.
--echo # Search for : Insecure configuration for --secure-file-priv: Data
--echo # directory is accessible through --secure-file-priv.
--echo # Consider choosing a different directory.
let SEARCH_PATTERN= Insecure configuration for --secure-file-priv: Data directory is accessible through --secure-file-priv. Consider choosing a different directory.;
--source include/search_pattern_in_file.inc
--disable_warnings
--source include/force_restart.inc
--enable_warnings
--echo #-----------------------------------------------------------------------
...@@ -30,6 +30,12 @@ install_db () { ...@@ -30,6 +30,12 @@ install_db () {
if [ -x /usr/sbin/restorecon ]; then if [ -x /usr/sbin/restorecon ]; then
/usr/sbin/restorecon "$datadir" /usr/sbin/restorecon "$datadir"
/usr/sbin/restorecon $log /usr/sbin/restorecon $log
for dir in /var/lib/mysql-files ; do
if [ -x /usr/sbin/semanage -a -d /var/lib/mysql -a -d $dir ] ; then
/usr/sbin/semanage fcontext -a -e /var/lib/mysql $dir >/dev/null 2>&1
/sbin/restorecon $dir
fi
done
fi fi
# If special mysql dir is in place, skip db install # If special mysql dir is in place, skip db install
......
...@@ -82,7 +82,15 @@ start(){ ...@@ -82,7 +82,15 @@ start(){
fi fi
chown mysql:mysql "$datadir" chown mysql:mysql "$datadir"
chmod 0755 "$datadir" chmod 0755 "$datadir"
[ -x /sbin/restorecon ] && /sbin/restorecon "$datadir" if [ -x /sbin/restorecon ]; then
/sbin/restorecon "$datadir"
for dir in /var/lib/mysql-files ; do
if [ -x /usr/sbin/semanage -a -d /var/lib/mysql -a -d $dir ] ; then
/usr/sbin/semanage fcontext -a -e /var/lib/mysql $dir >/dev/null 2>&1
/sbin/restorecon $dir
fi
done
fi
# Now create the database # Now create the database
action $"Initializing MySQL database: " /usr/bin/mysql_install_db --rpm --datadir="$datadir" --user=mysql action $"Initializing MySQL database: " /usr/bin/mysql_install_db --rpm --datadir="$datadir" --user=mysql
ret=$? ret=$?
......
...@@ -560,6 +560,7 @@ MBD=$RPM_BUILD_DIR/%{src_dir} ...@@ -560,6 +560,7 @@ MBD=$RPM_BUILD_DIR/%{src_dir}
install -d -m 0755 %{buildroot}%{_datadir}/mysql/SELinux/RHEL4 install -d -m 0755 %{buildroot}%{_datadir}/mysql/SELinux/RHEL4
install -d -m 0755 %{buildroot}/var/lib/mysql install -d -m 0755 %{buildroot}/var/lib/mysql
install -d -m 0755 %{buildroot}/var/run/mysqld install -d -m 0755 %{buildroot}/var/run/mysqld
install -d -m 0750 %{buildroot}/var/lib/mysql-files
# Install all binaries # Install all binaries
cd $MBD/release cd $MBD/release
...@@ -790,6 +791,7 @@ fi ...@@ -790,6 +791,7 @@ fi
%attr(644, root, root) %config(noreplace,missingok) %{_sysconfdir}/logrotate.d/mysql %attr(644, root, root) %config(noreplace,missingok) %{_sysconfdir}/logrotate.d/mysql
%dir %attr(755, mysql, mysql) /var/lib/mysql %dir %attr(755, mysql, mysql) /var/lib/mysql
%dir %attr(755, mysql, mysql) /var/run/mysqld %dir %attr(755, mysql, mysql) /var/run/mysqld
%dir %attr(750, mysql, mysql) /var/lib/mysql-files
%files common %files common
%defattr(-, root, root, -) %defattr(-, root, root, -)
...@@ -916,6 +918,9 @@ fi ...@@ -916,6 +918,9 @@ fi
%endif %endif
%changelog %changelog
* Mon Sep 26 2016 Balasubramanian Kandasamy <balasubramanian.kandasamy@oracle.com> - 5.5.53-1
- Include mysql-files directory
* Tue Jul 05 2016 Balasubramanian Kandasamy <balasubramanian.kandasamy@oracle.com> - 5.5.51-1 * Tue Jul 05 2016 Balasubramanian Kandasamy <balasubramanian.kandasamy@oracle.com> - 5.5.51-1
- Remove mysql_config from client subpackage - Remove mysql_config from client subpackage
......
...@@ -425,6 +425,7 @@ MBD=$RPM_BUILD_DIR/%{src_dir} ...@@ -425,6 +425,7 @@ MBD=$RPM_BUILD_DIR/%{src_dir}
install -d -m 0755 %{buildroot}/var/lib/mysql install -d -m 0755 %{buildroot}/var/lib/mysql
install -d -m 0755 %{buildroot}/var/run/mysql install -d -m 0755 %{buildroot}/var/run/mysql
install -d -m 0750 %{buildroot}/var/log/mysql install -d -m 0750 %{buildroot}/var/log/mysql
install -d -m 0750 %{buildroot}/var/lib/mysql-files
# Install all binaries # Install all binaries
cd $MBD/release cd $MBD/release
...@@ -638,6 +639,7 @@ fi ...@@ -638,6 +639,7 @@ fi
%dir %attr(755, mysql, mysql) /var/lib/mysql %dir %attr(755, mysql, mysql) /var/lib/mysql
%dir %attr(755, mysql, mysql) /var/run/mysql %dir %attr(755, mysql, mysql) /var/run/mysql
%dir %attr(750, mysql, mysql) /var/log/mysql %dir %attr(750, mysql, mysql) /var/log/mysql
%dir %attr(750, mysql, mysql) /var/lib/mysql-files
%files common %files common
%defattr(-, root, root, -) %defattr(-, root, root, -)
...@@ -783,6 +785,9 @@ fi ...@@ -783,6 +785,9 @@ fi
%attr(755, root, root) %{_libdir}/mysql/libmysqld.so %attr(755, root, root) %{_libdir}/mysql/libmysqld.so
%changelog %changelog
* Mon Sep 26 2016 Balasubramanian Kandasamy <balasubramanian.kandasamy@oracle.com> - 5.5.53-1
- Include mysql-files directory
* Tue Sep 29 2015 Balasubramanian Kandasamy <balasubramanian.kandasamy@oracle.com> - 5.5.47-1 * Tue Sep 29 2015 Balasubramanian Kandasamy <balasubramanian.kandasamy@oracle.com> - 5.5.47-1
- Added conflicts to mysql-connector-c-shared dependencies - Added conflicts to mysql-connector-c-shared dependencies
......
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2008, 2013, Oracle and/or its affiliates. All rights reserved. # Copyright (c) 2008, 2016, Oracle and/or its affiliates. All rights reserved.
# #
# This program is free software; you can redistribute it and/or modify # This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by # it under the terms of the GNU General Public License as published by
...@@ -26,6 +26,7 @@ mygroup=mysql ...@@ -26,6 +26,7 @@ mygroup=mysql
myuser=mysql myuser=mysql
mydatadir=/var/lib/mysql mydatadir=/var/lib/mysql
basedir=@@basedir@@ basedir=@@basedir@@
mysecurefiledir=/var/lib/mysql-files
if [ -n "$BASEDIR" ] ; then if [ -n "$BASEDIR" ] ; then
basedir="$BASEDIR" basedir="$BASEDIR"
...@@ -58,6 +59,11 @@ fi ...@@ -58,6 +59,11 @@ fi
chown -R $myuser:$mygroup $mydatadir chown -R $myuser:$mygroup $mydatadir
# Create securefile directory
[ -d "$mysecurefiledir" ] || mkdir -p -m 770 "$mysecurefiledir" || exit 1
chown -R $myuser:$mygroup $mysecurefiledir
# Solaris patch 119255 (somewhere around revision 42) changes the behaviour # Solaris patch 119255 (somewhere around revision 42) changes the behaviour
# of pkgadd to set TMPDIR internally to a root-owned install directory. This # of pkgadd to set TMPDIR internally to a root-owned install directory. This
# has the unfortunate side effect of breaking running mysql_install_db with # has the unfortunate side effect of breaking running mysql_install_db with
......
...@@ -570,6 +570,7 @@ uint mysql_real_data_home_len, mysql_data_home_len= 1; ...@@ -570,6 +570,7 @@ uint mysql_real_data_home_len, mysql_data_home_len= 1;
uint reg_ext_length; uint reg_ext_length;
const key_map key_map_empty(0); const key_map key_map_empty(0);
key_map key_map_full(0); // Will be initialized later key_map key_map_full(0); // Will be initialized later
char secure_file_real_path[FN_REFLEN];
DATE_TIME_FORMAT global_date_format, global_datetime_format, global_time_format; DATE_TIME_FORMAT global_date_format, global_datetime_format, global_time_format;
Time_zone *default_tz; Time_zone *default_tz;
...@@ -7598,9 +7599,9 @@ bool is_secure_file_path(char *path) ...@@ -7598,9 +7599,9 @@ bool is_secure_file_path(char *path)
char buff1[FN_REFLEN], buff2[FN_REFLEN]; char buff1[FN_REFLEN], buff2[FN_REFLEN];
size_t opt_secure_file_priv_len; size_t opt_secure_file_priv_len;
/* /*
All paths are secure if opt_secure_file_path is 0 All paths are secure if opt_secure_file_priv is 0
*/ */
if (!opt_secure_file_priv) if (!opt_secure_file_priv[0])
return TRUE; return TRUE;
opt_secure_file_priv_len= strlen(opt_secure_file_priv); opt_secure_file_priv_len= strlen(opt_secure_file_priv);
...@@ -7608,6 +7609,9 @@ bool is_secure_file_path(char *path) ...@@ -7608,6 +7609,9 @@ bool is_secure_file_path(char *path)
if (strlen(path) >= FN_REFLEN) if (strlen(path) >= FN_REFLEN)
return FALSE; return FALSE;
if (!my_strcasecmp(system_charset_info, opt_secure_file_priv, "NULL"))
return FALSE;
if (my_realpath(buff1, path, 0)) if (my_realpath(buff1, path, 0))
{ {
/* /*
...@@ -7640,9 +7644,184 @@ bool is_secure_file_path(char *path) ...@@ -7640,9 +7644,184 @@ bool is_secure_file_path(char *path)
} }
/**
check_secure_file_priv_path : Checks path specified through
--secure-file-priv and raises warning in following cases:
1. If path is empty string or NULL and mysqld is not running
with --bootstrap mode.
2. If path can access data directory
3. If path points to a directory which is accessible by
all OS users (non-Windows build only)
It throws error in following cases:
1. If path normalization fails
2. If it can not get stats of the directory
@params NONE
Assumptions :
1. Data directory path has been normalized
2. opt_secure_file_priv has been normalized unless it is set
to "NULL".
@returns Status of validation
@retval true : Validation is successful with/without warnings
@retval false : Validation failed. Error is raised.
*/
bool check_secure_file_priv_path()
{
char datadir_buffer[FN_REFLEN+1]={0};
char plugindir_buffer[FN_REFLEN+1]={0};
char whichdir[20]= {0};
size_t opt_plugindir_len= 0;
size_t opt_datadir_len= 0;
size_t opt_secure_file_priv_len= 0;
bool warn= false;
bool case_insensitive_fs;
#ifndef _WIN32
MY_STAT dir_stat;
#endif
if (!opt_secure_file_priv[0])
{
if (opt_bootstrap)
{
/*
Do not impose --secure-file-priv restriction
in --bootstrap mode
*/
sql_print_information("Ignoring --secure-file-priv value as server is "
"running with --bootstrap.");
}
else
{
sql_print_warning("Insecure configuration for --secure-file-priv: "
"Current value does not restrict location of generated "
"files. Consider setting it to a valid, "
"non-empty path.");
}
return true;
}
/*
Setting --secure-file-priv to NULL would disable
reading/writing from/to file
*/
if(!my_strcasecmp(system_charset_info, opt_secure_file_priv, "NULL"))
{
sql_print_information("--secure-file-priv is set to NULL. "
"Operations related to importing and exporting "
"data are disabled");
return true;
}
/*
Check if --secure-file-priv can access data directory
*/
opt_secure_file_priv_len= strlen(opt_secure_file_priv);
/*
Adds dir seperator at the end.
This is required in subsequent comparison
*/
convert_dirname(datadir_buffer, mysql_unpacked_real_data_home, NullS);
opt_datadir_len= strlen(datadir_buffer);
case_insensitive_fs=
(test_if_case_insensitive(datadir_buffer) == 1);
if (!case_insensitive_fs)
{
if (!strncmp(datadir_buffer, opt_secure_file_priv,
opt_datadir_len < opt_secure_file_priv_len ?
opt_datadir_len : opt_secure_file_priv_len))
{
warn= true;
strcpy(whichdir, "Data directory");
}
}
else
{
if (!files_charset_info->coll->strnncoll(files_charset_info,
(uchar *) datadir_buffer,
opt_datadir_len,
(uchar *) opt_secure_file_priv,
opt_secure_file_priv_len,
TRUE))
{
warn= true;
strcpy(whichdir, "Data directory");
}
}
/*
Don't bother comparing --secure-file-priv with --plugin-dir
if we already have a match against --datadir or
--plugin-dir is not pointing to a valid directory.
*/
if (!warn && !my_realpath(plugindir_buffer, opt_plugin_dir, 0))
{
convert_dirname(plugindir_buffer, plugindir_buffer, NullS);
opt_plugindir_len= strlen(plugindir_buffer);
if (!case_insensitive_fs)
{
if (!strncmp(plugindir_buffer, opt_secure_file_priv,
opt_plugindir_len < opt_secure_file_priv_len ?
opt_plugindir_len : opt_secure_file_priv_len))
{
warn= true;
strcpy(whichdir, "Plugin directory");
}
}
else
{
if (!files_charset_info->coll->strnncoll(files_charset_info,
(uchar *) plugindir_buffer,
opt_plugindir_len,
(uchar *) opt_secure_file_priv,
opt_secure_file_priv_len,
TRUE))
{
warn= true;
strcpy(whichdir, "Plugin directory");
}
}
}
if (warn)
sql_print_warning("Insecure configuration for --secure-file-priv: "
"%s is accessible through "
"--secure-file-priv. Consider choosing a different "
"directory.", whichdir);
#ifndef _WIN32
/*
Check for --secure-file-priv directory's permission
*/
if (!(my_stat(opt_secure_file_priv, &dir_stat, MYF(0))))
{
sql_print_error("Failed to get stat for directory pointed out "
"by --secure-file-priv");
return false;
}
if (dir_stat.st_mode & S_IRWXO)
sql_print_warning("Insecure configuration for --secure-file-priv: "
"Location is accessible to all OS users. "
"Consider choosing a different directory.");
#endif
return true;
}
static int fix_paths(void) static int fix_paths(void)
{ {
char buff[FN_REFLEN],*pos; char buff[FN_REFLEN],*pos;
bool secure_file_priv_nonempty= false;
convert_dirname(mysql_home,mysql_home,NullS); convert_dirname(mysql_home,mysql_home,NullS);
/* Resolve symlinks to allow 'mysql_home' to be a relative symlink */ /* Resolve symlinks to allow 'mysql_home' to be a relative symlink */
my_realpath(mysql_home,mysql_home,MYF(0)); my_realpath(mysql_home,mysql_home,MYF(0));
...@@ -7700,28 +7879,55 @@ static int fix_paths(void) ...@@ -7700,28 +7879,55 @@ static int fix_paths(void)
Convert the secure-file-priv option to system format, allowing Convert the secure-file-priv option to system format, allowing
a quick strcmp to check if read or write is in an allowed dir a quick strcmp to check if read or write is in an allowed dir
*/ */
if (opt_secure_file_priv) if (opt_bootstrap)
opt_secure_file_priv= EMPTY_STR.str;
secure_file_priv_nonempty= opt_secure_file_priv[0] ? true : false;
if (secure_file_priv_nonempty && strlen(opt_secure_file_priv) > FN_REFLEN)
{ {
if (*opt_secure_file_priv == 0) sql_print_warning("Value for --secure-file-priv is longer than maximum "
"limit of %d", FN_REFLEN-1);
return 1;
}
memset(buff, 0, sizeof(buff));
if (secure_file_priv_nonempty &&
my_strcasecmp(system_charset_info, opt_secure_file_priv, "NULL"))
{
int retval= my_realpath(buff, opt_secure_file_priv, MYF(MY_WME));
if (!retval)
{
convert_dirname(secure_file_real_path, buff, NullS);
#ifdef WIN32
MY_DIR *dir= my_dir(secure_file_real_path, MYF(MY_DONT_SORT+MY_WME));
if (!dir)
{ {
my_free(opt_secure_file_priv); retval= 1;
opt_secure_file_priv= 0;
} }
else else
{ {
if (strlen(opt_secure_file_priv) >= FN_REFLEN) my_dirend(dir);
opt_secure_file_priv[FN_REFLEN-1]= '\0'; }
if (my_realpath(buff, opt_secure_file_priv, 0)) #endif
}
if (retval)
{ {
sql_print_warning("Failed to normalize the argument for --secure-file-priv."); char err_buffer[FN_REFLEN];
my_snprintf(err_buffer, FN_REFLEN-1,
"Failed to access directory for --secure-file-priv."
" Please make sure that directory exists and is "
"accessible by MySQL Server. Supplied value : %s",
opt_secure_file_priv);
err_buffer[FN_REFLEN-1]='\0';
sql_print_error("%s", err_buffer);
return 1; return 1;
} }
char *secure_file_real_path= (char *)my_malloc(FN_REFLEN, MYF(MY_FAE));
convert_dirname(secure_file_real_path, buff, NullS);
my_free(opt_secure_file_priv);
opt_secure_file_priv= secure_file_real_path; opt_secure_file_priv= secure_file_real_path;
} }
}
if (!check_secure_file_priv_path())
return 1;
return 0; return 0;
} }
......
...@@ -68,6 +68,8 @@ ...@@ -68,6 +68,8 @@
char internal_table_name[2]= "*"; char internal_table_name[2]= "*";
char empty_c_string[1]= {0}; /* used for not defined db */ char empty_c_string[1]= {0}; /* used for not defined db */
LEX_STRING EMPTY_STR= { (char *) "", 0 };
const char * const THD::DEFAULT_WHERE= "field list"; const char * const THD::DEFAULT_WHERE= "field list";
......
...@@ -105,6 +105,7 @@ enum enum_filetype { FILETYPE_CSV, FILETYPE_XML }; ...@@ -105,6 +105,7 @@ enum enum_filetype { FILETYPE_CSV, FILETYPE_XML };
extern char internal_table_name[2]; extern char internal_table_name[2];
extern char empty_c_string[1]; extern char empty_c_string[1];
extern LEX_STRING EMPTY_STR;
extern MYSQL_PLUGIN_IMPORT const char **errmesg; extern MYSQL_PLUGIN_IMPORT const char **errmesg;
extern bool volatile shutdown_in_progress; extern bool volatile shutdown_in_progress;
......
...@@ -1941,8 +1941,12 @@ static Sys_var_charptr Sys_secure_file_priv( ...@@ -1941,8 +1941,12 @@ static Sys_var_charptr Sys_secure_file_priv(
"secure_file_priv", "secure_file_priv",
"Limit LOAD DATA, SELECT ... OUTFILE, and LOAD_FILE() to files " "Limit LOAD DATA, SELECT ... OUTFILE, and LOAD_FILE() to files "
"within specified directory", "within specified directory",
PREALLOCATED READ_ONLY GLOBAL_VAR(opt_secure_file_priv), READ_ONLY GLOBAL_VAR(opt_secure_file_priv),
CMD_LINE(REQUIRED_ARG), IN_FS_CHARSET, DEFAULT(0)); #ifndef EMBEDDED_LIBRARY
CMD_LINE(REQUIRED_ARG), IN_FS_CHARSET, DEFAULT(DEFAULT_SECURE_FILE_PRIV_DIR));
#else
CMD_LINE(REQUIRED_ARG), IN_FS_CHARSET, DEFAULT(DEFAULT_SECURE_FILE_PRIV_EMBEDDED_DIR));
#endif
static bool fix_server_id(sys_var *self, THD *thd, enum_var_type type) static bool fix_server_id(sys_var *self, THD *thd, enum_var_type type)
{ {
......
# Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. # Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
# #
# This program is free software; you can redistribute it and/or modify # This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by # it under the terms of the GNU General Public License as published by
...@@ -562,6 +562,7 @@ install -d $RBR%{_includedir} ...@@ -562,6 +562,7 @@ install -d $RBR%{_includedir}
install -d $RBR%{_libdir} install -d $RBR%{_libdir}
install -d $RBR%{_mandir} install -d $RBR%{_mandir}
install -d $RBR%{_sbindir} install -d $RBR%{_sbindir}
install -d $RBR/var/lib/mysql-files
mkdir -p $RBR%{_sysconfdir}/my.cnf.d mkdir -p $RBR%{_sysconfdir}/my.cnf.d
...@@ -1141,6 +1142,7 @@ echo "=====" >> $STATUS_HISTORY ...@@ -1141,6 +1142,7 @@ echo "=====" >> $STATUS_HISTORY
%attr(755, root, root) %{_sysconfdir}/init.d/mysql %attr(755, root, root) %{_sysconfdir}/init.d/mysql
%attr(755, root, root) %{_datadir}/mysql/ %attr(755, root, root) %{_datadir}/mysql/
%dir %attr(750, mysql, mysql) /var/lib/mysql-files
# ---------------------------------------------------------------------------- # ----------------------------------------------------------------------------
%files -n MySQL-client%{product_suffix} %files -n MySQL-client%{product_suffix}
...@@ -1226,6 +1228,9 @@ echo "=====" >> $STATUS_HISTORY ...@@ -1226,6 +1228,9 @@ echo "=====" >> $STATUS_HISTORY
# merging BK trees) # merging BK trees)
############################################################################## ##############################################################################
%changelog %changelog
* Mon Sep 26 2016 Balasubramanian Kandasamy <balasubramanian.kandasamy@oracle.com>
- Include mysql-files directory
* Wed Jul 02 2014 Bjorn Munch <bjorn.munch@oracle.com> * Wed Jul 02 2014 Bjorn Munch <bjorn.munch@oracle.com>
- Disable dtrace unconditionally, breaks after we install Oracle dtrace - Disable dtrace unconditionally, breaks after we install Oracle dtrace
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment