I'm slightly confused. These build tests are using an installed, live mysql server and create temporary files somewhere in such a way that mysqld needs to read them?
If that is the case, then maybe we could add to the mysqld profile something like: owner /var/tmp/mysql/** rwkl, owner /var/tmp/mysql/* rw, /var/tmp/mysql-buildtests/** r, /var/tmp/mysql-buildtests/ r, Then do: # mkdir -m 0770 /var/tmp/mysql # chown mysql:mysql # mkdir -m 1113 /var/tmp/mysql-buildtests # chown mysql:mysql /var/tmp/mysql-buildtests This should allow any user to write to anything in /var/tmp/mysql- buildtests, after which testsuites can invoke mysqld with the proper arguments for tmpdir being /var/tmp/mysql and reading specific files in /var/tmp/mysql-buildtests. The idea is that under normal circumstances, mysqld would ignore /var/tmp/mysql-buildtests/, but in the face of an attack both DAC and AppArmor prevent writing to /var/tmp/mysql- buildtests. We use the weird '1113' permissions on /var/tmp/mysql- buildtests to create a sticky directory to allow 'other' to create files in the directory, but mysql can only read from this directory. DAC prevents regular users from reading /var/tmp/mysql. This should mitigate bug #578922 while allowing for test suites to run. It would be great if others could review my suggestion. -- MySQL must not use /tmp https://bugs.launchpad.net/bugs/375371 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
