I just wanted to preserve this discussion for reference: (12:05:09) jes-o-mat: periapt: btw - do you know a reason why mysqld_safe is running as root? (12:07:05) periapt: jes-o-mat: No, that seems like a fair question to me. (12:28:25) ryeng: mysqld_safe is supposed to chown the error log (12:29:02) ryeng: Lines 560-576 (12:37:03) jes-o-mat: periapt: http://boschman.de/~jesusch/debian/mysql/664639-mysql-server.init.diff.txt (12:37:15) jes-o-mat: seems to be working pretty well? (12:39:23) ryeng: jes-o-mat: Does it also work if you start mysqld_safe with --user=${user}? (12:40:02) ryeng: I'm not sure if mysqld_safe needs to run as root. (12:40:46) jes-o-mat: ryeng: I'd vote for starting mysqld_safe as user mysql as far as it seems that there is no reason to run it as root (12:42:52) jes-o-mat: ryeng: http://paste.debian.net/175256/ (12:43:04) ryeng: jes-o-mat: I agree. I found this, explaining the reason it allows user switching: https://blogs.oracle.com/bobn/entry/securing_mysql_using_smf_the (12:43:43) ryeng: Running it as the mysql user seems like a good idea (12:44:04) ryeng: «The answer to the first question is simple: it can be run as a regular user. It only runs as root out of convenience to operating systems that don't have as sophisticated a security framework as Solaris.» (12:44:21) jes-o-mat: seems like --user is not taken into account (12:49:22) jes-o-mat: btw - I've retitled and reassigned the bugreport. why did this not happen? (12:49:52) jes-o-mat: do I need to CC control@bugs.d.o? (12:51:35) periapt: jes-o-mat: YEs. http://www.debian.org/Bugs/server-control (12:52:32) periapt: jes-o-mat: Actually "Bcc" is better. It stops people sending nonsense to the control server. (13:19:36) jes-o-mat: periapt: Revision 2162 should do the trick (13:21:30) periapt: jes-o-mat: Thanks. I'll give it a whirl. (13:37:25) jes-o-mat: periapt: damn - we might have an issue... mysqld_safe in some cases set's custom ulimits.. which afaik is only possible as root? (13:50:36) periapt: maybe: "An unprivileged process may only set its soft limit to a value in the range from 0 up to the hard limit, and (irreversibly) lower its hard limit. A privileged process may make arbitrary changes to either limit value." (13:51:07) periapt: jes-o-mat: I am just glad you made the change in experimental. :)
-- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
