Bug#27919254 MYSQL USER ESCALATES ITS PRIVILEGE BY PLACING ARBITRARY PIDS INTO ITS PID FILES

vuvova · vuvova · commit 73e1ffdc6899 · 2018-10-24T06:49:18.000+02:00
diff --git a/support-files/mysql.server.sh b/support-files/mysql.server.sh
@@ -128,8 +128,9 @@ esac
 
 parse_server_arguments() {
   for arg do
+    val=`echo "$arg" | sed -e 's/^[^=]*=//'`
     case "$arg" in
-      --basedir=*)  basedir=`echo "$arg" | sed -e 's/^[^=]*=//'`
+      --basedir=*)  basedir="$val"
                     bindir="$basedir/bin"
 		    if test -z "$datadir_set"; then
 		      datadir="$basedir/data"
@@ -143,14 +144,15 @@ parse_server_arguments() {
                     fi
 		    libexecdir="$basedir/libexec"
         ;;
-      --datadir=*)  datadir=`echo "$arg" | sed -e 's/^[^=]*=//'`
+      --datadir=*)  datadir="$val"
 		    datadir_set=1
 	;;
       --log-basename=*|--hostname=*|--loose-log-basename=*)
-        mysqld_pid_file_path=`echo "$arg.pid" | sed -e 's/^[^=]*=//'`
+        mysqld_pid_file_path="$val.pid"
 	;;
-      --pid-file=*) mysqld_pid_file_path=`echo "$arg" | sed -e 's/^[^=]*=//'` ;;
-      --service-startup-timeout=*) service_startup_timeout=`echo "$arg" | sed -e 's/^[^=]*=//'` ;;
+      --pid-file=*) mysqld_pid_file_path="$val" ;;
+      --service-startup-timeout=*) service_startup_timeout="$val" ;;
+      --user=*) user="$val"; ;;
     esac
   done
 }
@@ -182,6 +184,12 @@ else
   test -z "$print_defaults" && print_defaults="my_print_defaults"
 fi
 
+user='@MYSQLD_USER@'
+
+su_kill() {
+  su - $user -s /bin/sh -c "kill $*" >/dev/null 2>&1
+}
+
 #
 # Read defaults file from 'basedir'.   If there is no defaults file there
 # check if it's in the old (depricated) place (datadir) and read it from there
@@ -210,7 +218,7 @@ wait_for_gone () {
 
   while test $i -ne $service_startup_timeout ; do
 
-    if kill -0 "$pid" 2>/dev/null; then
+    if su_kill -0 "$pid" ; then
       :  # the server still runs
     else
       if test ! -s "$pid_file_path"; then
@@ -250,7 +258,7 @@ wait_for_ready () {
     if $bindir/mysqladmin ping >/dev/null 2>&1; then
       log_success_msg
       return 0
-    elif kill -0 $! 2>/dev/null ; then
+    elif kill -0 $! ; then
       :  # mysqld_safe is still running
     else
       # mysqld_safe is no longer running, abort the wait loop
@@ -319,10 +327,9 @@ case "$mode" in
     then
       mysqld_pid=`cat "$mysqld_pid_file_path"`
 
-      if (kill -0 $mysqld_pid 2>/dev/null)
-      then
+      if su_kill -0 $mysqld_pid ; then
         echo $echo_n "Shutting down MariaDB"
-        kill $mysqld_pid
+        su_kill $mysqld_pid
         # mysqld should remove the pid file when it exits, so wait for it.
         wait_for_gone $mysqld_pid "$mysqld_pid_file_path"; return_value=$?
       else
@@ -355,7 +362,7 @@ case "$mode" in
   'reload'|'force-reload')
     if test -s "$mysqld_pid_file_path" ; then
       read mysqld_pid <  "$mysqld_pid_file_path"
-      kill -HUP $mysqld_pid && log_success_msg "Reloading service MariaDB"
+      su_kill -HUP $mysqld_pid && log_success_msg "Reloading service MariaDB"
       touch "$mysqld_pid_file_path"
     else
       log_failure_msg "MariaDB PID file could not be found!"
@@ -366,7 +373,7 @@ case "$mode" in
     # First, check to see if pid file exists
     if test -s "$mysqld_pid_file_path" ; then 
       read mysqld_pid < "$mysqld_pid_file_path"
-      if kill -0 $mysqld_pid 2>/dev/null ; then 
+      if su_kill -0 $mysqld_pid ; then
         log_success_msg "MariaDB running ($mysqld_pid)"
         exit 0
       else
