Skip to content

Fixed permissions on /var/run/mysqld. #758

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Fixed permissions on /var/run/mysqld. #758

wants to merge 1 commit into from

Conversation

3kami3
Copy link

@3kami3 3kami3 commented Apr 6, 2021

Fixes for the following warnings.

2021-04-03T01:01:06.188231+09:00 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.

@yosifkit
Copy link
Member

yosifkit commented Apr 6, 2021

The current permissions were added on purpose in #161 and improved in #710.

Also tightens permissions for the run dir to ensure other users can't delete the socket and pid file.

The warning is harmless as there shouldn't be anything else running as another user in a MySQL container. Also, the directory permissions are such that users cannot delete other users files (just like /tmp).

$ docker run -d --name sqly -e MYSQL_RANDOM_ROOT_PASSWORD=true -e MYSQL_DATABASE=monica -e MYSQL_USER=homestead -e MYSQL_PASSWORD=secret mysql:5.7
a98c5d085c5927bb727af2031fefdc7efc630b05e38ac373661499fbe9c78d91
$ docker exec -it --user 1000:1000 sqly bash
I have no name!@a98c5d085c59:/$ ls -la /var/run/mysqld/
total 20
drwxrwxrwt 1 mysql mysql 4096 Apr  6 17:47 .
drwxr-xr-x 1 root  root  4096 Mar 12 11:20 ..
-rw-r----- 1 mysql mysql    2 Apr  6 17:47 mysqld.pid
srwxrwxrwx 1 mysql mysql    0 Apr  6 17:47 mysqld.sock
-rw------- 1 mysql mysql    2 Apr  6 17:47 mysqld.sock.lock
I have no name!@a98c5d085c59:/$ rm -rf /var/run/mysqld/*
rm: cannot remove '/var/run/mysqld/mysqld.pid': Operation not permitted
rm: cannot remove '/var/run/mysqld/mysqld.sock': Operation not permitted
rm: cannot remove '/var/run/mysqld/mysqld.sock.lock': Operation not permitted
I have no name!@a98c5d085c59:/$ ls -la /var/run/mysqld/
total 20
drwxrwxrwt 1 mysql mysql 4096 Apr  6 17:47 .
drwxr-xr-x 1 root  root  4096 Mar 12 11:20 ..
-rw-r----- 1 mysql mysql    2 Apr  6 17:47 mysqld.pid
srwxrwxrwx 1 mysql mysql    0 Apr  6 17:47 mysqld.sock
-rw------- 1 mysql mysql    2 Apr  6 17:47 mysqld.sock.lock

@yosifkit yosifkit closed this Apr 6, 2021
@3kami3
Copy link
Author

3kami3 commented Apr 7, 2021

@yosifkit Does this warning [MY-011810] always appear when using the official container?

$ docker run -d --name sqly -e MYSQL_RANDOM_ROOT_PASSWORD=true -e MYSQL_DATABASE=monica -e MYSQL_USER=homestead -e MYSQL_PASSWORD=secret mysql:8.0
d3eb7977e451683819c51d72a05030d5eb62b8da4287d6833126b9ba3667d7cf
$ docker logs sqly |& grep Warning
2021-04-07T13:36:37.174019Z 6 [Warning] [MY-010453] [Server] root@localhost is created with an empty password ! Please consider switching off the --initialize-insecure option.
2021-04-07T13:36:40.030736Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
2021-04-07T13:36:40.031871Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.

What should I do if I want to suppress the output?

@yosifkit
Copy link
Member

yosifkit commented Apr 7, 2021

What should I do if I want to suppress the output?

Create your own image or grep out warnings that you've concluded are harmless.

@3kami3
Copy link
Author

3kami3 commented Apr 8, 2021

Thanks for the reply.
I understand it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@3kami3 @yosifkit