from:"Lukas Javorsky"

Re: [Maria-discuss] How can I separate one test from mysql_test

2021-11-18 Thread Lukas Javorsky

Hi Sergei,

I've somehow managed to get onto another problem and that is the start of
the mariadb.service.

I'm trying to reproduce one of the tests "
encryption.innodb-checksum-algorithm"

The error I'm getting (cat /var/log/mariadb/mysqld.1.err) is this:
2021-11-08  4:06:46 0 [Warning] /usr/libexec/mariadbd: unknown variable
'loose-feedback-debug-startup-interval=20'
2021-11-08  4:06:46 0 [Warning] /usr/libexec/mariadbd: unknown variable
'loose-feedback-debug-first-interval=60'
2021-11-08  4:06:46 0 [Warning] /usr/libexec/mariadbd: unknown variable
'loose-feedback-debug-interval=60'
2021-11-08  4:06:46 0 [Warning] /usr/libexec/mariadbd: unknown option
'--loose-pam-debug'
2021-11-08  4:06:46 0 [Warning] /usr/libexec/mariadbd: unknown option
'--loose-aria'
2021-11-08  4:06:46 0 [Warning] Failed to setup SSL
2021-11-08  4:06:46 0 [Warning] SSL error: SSL_CTX_set_default_verify_paths
failed
2021-11-08  4:06:46 0 [Warning] SSL error: error:8002:system
library::No such file or directory
2021-11-08  4:06:46 0 [Warning] SSL error: error:1080:BIO routines::no
such file
2021-11-08  4:06:46 0 [Warning] SSL error: error:05880002:x509 certificate
routines::system lib
2021-11-08  4:06:46 0 [Note] Server socket created on IP: '127.0.0.1'.
2021-11-08  4:06:46 0 [ERROR] Can't start server: Bind on TCP/IP port. Got
error: 13: Permission denied
2021-11-08  4:06:46 0 [ERROR] Do you already have another mysqld server
running on port: 16020 ?
2021-11-08  4:06:46 0 [ERROR] Aborting

Do you have any idea what could cause this?
I'm not sure how to go further with this reproducer unless I fix this error.

I would be so grateful for even multiple ideas where the problem could be,
so I can check them.

Thank you for your response.
Lukas

On Tue, Nov 2, 2021 at 11:08 AM Lukas Javorsky  wrote:

> Hi Sergei,
>
> I'm sorry for the late reply.
>
> I've attached the mysqld.1.err
> from '/home/user/encryption/1/log/mysqld.1.err'.
> I'm not sure how to read those test results, could you please give me more
> insight into these logs and files?
> E.g. what are those 1-7 directories?
>
> I'm testing the 'suite/encryption/t/innodb-checksum-algorithm.test'.
> I'm using the '--verbose' and '--vardir=/home/user/encryption/' options.
>
> The structure is quite unique, and I'm not sure which files could be
> helpful to me.
> I've attached the structure to this email (structure.txt) - command "tree
> /home/user/encryption"
>
>
> On Wed, Oct 13, 2021 at 3:58 PM Sergei Golubchik  wrote:
>
>> Hi, Lukas!
>>
>> On Oct 13, Lukas Javorsky wrote:
>> > Hi Sergei,
>> >
>> > > How do these tests fail?
>> > For example:
>> > Test = encryption.corrupted_during_recovery
>> > Error:
>> > "mysqltest: At line 25: query 'INSERT INTO t1 VALUES(2)' failed: 1932:
>> > Table 'test.t1' doesn't exist in engine"
>> >
>> > For the full log you can view it here:
>> >
>> https://kojihub.stream.rdu2.redhat.com/kojifiles/work/tasks/7208/367208/build.log
>>
>> I cannot see it, the host doesn't even resolve.
>>
>> Can you share the error log? it's somewhere in
>> var/*/mysqld.1.err and var is normally in mysql-test/
>> unless you used mysql-test-run.pl --vardir=xxx
>>
>> > > What do you need as a reproducer, a small standalone program?
>> > The best way is to create some kind of script where you can see all of
>> the
>> > options that are passed to the server when the service is initialized.
>> > And the following SQL commands that are executed to the server (or if
>> the
>> > test is not executing any commands in the server, then whatever it's
>> > executed after the server is started).
>>
>> But that's just mysql-test-run, you have it.
>> --verbose will show all options that are passed to the server.
>> var/my.cnf is the config file.
>>
>> One can probably even use ltrace to get all calls into libssl.so,
>> but I personally haven't tried that.
>>
>> Regards,
>> Sergei
>> VP of MariaDB Server Engineering
>> and secur...@mariadb.org
>>
>>
>
> --
> S pozdravom/ Best regards
>
> Lukáš Javorský
>
> Associate Software Engineer, Core service - Databases
>
> Red Hat <https://www.redhat.com>
>
> Purkyňova 115 (TPB-C)
>
> 612 00 Brno - Královo Pole
>
> ljavo...@redhat.com
> <https://www.redhat.com>
>


-- 
S pozdravom/ Best regards

Lukáš Javorský

Associate Software Engineer, Core service - Databases

Red Hat <https://www.redhat.com>

Purkyňova 115 (TPB-C)

612 00 Brno - Královo Pole

ljavo...@redhat.com
<https://www.redhat.com>
___
Mailing list: https://launchpad.net/~maria-discuss
Post to : maria-discuss@lists.launchpad.net
Unsubscribe : https://launchpad.net/~maria-discuss
More help   : https://help.launchpad.net/ListHelp

Re: [Maria-discuss] How can I separate one test from mysql_test

2021-10-13 Thread Lukas Javorsky

Hi Sergei,

> How do these tests fail?
For example:
Test = encryption.corrupted_during_recovery
Error:
"mysqltest: At line 25: query 'INSERT INTO t1 VALUES(2)' failed: 1932:
Table 'test.t1' doesn't exist in engine"

For the full log you can view it here:
https://kojihub.stream.rdu2.redhat.com/kojifiles/work/tasks/7208/367208/build.log

> What do you need as a reproducer, a small standalone program?
The best way is to create some kind of script where you can see all of the
options that are passed to the server when the service is initialized.
And the following SQL commands that are executed to the server (or if the
test is not executing any commands in the server, then whatever it's
executed after the server is started).

On Tue, Oct 12, 2021 at 10:47 PM Sergei Golubchik  wrote:

> Hi, Lukas!
>
> On Oct 05, Lukas Javorsky wrote:
> > Hi guys,
> >
> > I've found few particular tests from the test suite that is failing due
> to
> > the OpenSSL-3 version and I want to separate them and give them to the
> > OpenSSL team in Red Hat.
> >
> > The idea behind this is to give them a set of commands/config options
> > (reproducer) for each test and they will try to find out what's the
> > exact problem there and help us develop the patch.
> >
> > The tests that I'm interested in are (there are more of them, I just need
> > to see how to reproduce few of them and I'll do the same for the other
> ones
> > as well):
> > encryption.corrupted_during_recovery
> > encryption.innodb-checksum-algorithm
> > encryption.innodb-discard-import-change
> > encryption.innodb_page_encryption_key_change
> > binlog_encryption.rpl_loaddata_local
> > binlog_encryption.rpl_parallel_free_deferred_event
> >
> > IMPORTANT: These tests are failing only with the 'cbc' cipher in use, the
> > 'ctr' is passing.
> >
> > Could you please help me with how to make a reproducer for each test,
> > so I can create them and give them to the OpenSSL team?
>
> How do these tests fail?
> What do you need as a reproducer, a small standalone program?
>
> Regards,
> Sergei
> VP of MariaDB Server Engineering
> and secur...@mariadb.org
>
>

-- 
S pozdravom/ Best regards

Lukáš Javorský

Associate Software Engineer, Core service - Databases

Red Hat <https://www.redhat.com>

Purkyňova 115 (TPB-C)

612 00 Brno - Královo Pole

ljavo...@redhat.com
<https://www.redhat.com>
___
Mailing list: https://launchpad.net/~maria-discuss
Post to : maria-discuss@lists.launchpad.net
Unsubscribe : https://launchpad.net/~maria-discuss
More help   : https://help.launchpad.net/ListHelp

Re: [Maria-discuss] How can I separate one test from mysql_test

2021-10-12 Thread Lukas Javorsky

Hi Sergei,

Thank you for letting me know.
Yes, I have noticed that Connector/C is already supporting OpenSSL-3.0, so
I was waiting for Server 10.6 (as compiled against Connector/C 3.2) will be
supporting it as well.

And back to my original question, could you help me (maybe where to look)
with the reproducer for the tests mentioned above?

Lukas

On Mon, Oct 11, 2021 at 11:53 PM Sergei Golubchik  wrote:

> Hi, Lukas!
>
> Sorry, for not replying earlier.
>
> There is no WIP or estimate yes. Only an understanding that we have to
> do it, it's unavoidable, and highly likely we'll need to do it in
> existing versions, not only in a new development branch.
>
> And Connector/C already supports OpenSSL 3.0 (CONC-503), so we have a
> reasonably good idea of what needs to be done.
>
> On Oct 06, Lukas Javorsky wrote:
> > Hi Sergei,
> >
> > We have some very simple patch which helps MariaDB to build with the
> > openssl-3 version, however, the test suite is failing (Failed 56/3396
> > tests).
> > So that raises a flag, that something may not work as expected, and we
> > want to figure it out.
> >
> > Speaking of, what's your status on the openssl-3 support in MariaDB
> > Server? Do you have some WIP or estimate in which major version this
> > could be expected?
> >
> > Thank you
> > Lukas
>
> Regards,
> Sergei
> VP of MariaDB Server Engineering
> and secur...@mariadb.org
>
>

-- 
S pozdravom/ Best regards

Lukáš Javorský

Associate Software Engineer, Core service - Databases

Red Hat <https://www.redhat.com>

Purkyňova 115 (TPB-C)

612 00 Brno - Královo Pole

ljavo...@redhat.com
<https://www.redhat.com>
___
Mailing list: https://launchpad.net/~maria-discuss
Post to : maria-discuss@lists.launchpad.net
Unsubscribe : https://launchpad.net/~maria-discuss
More help   : https://help.launchpad.net/ListHelp

Re: [Maria-discuss] How can I separate one test from mysql_test

2021-10-07 Thread Lukas Javorsky

> We have some very simple patch which helps MariaDB to build with the
openssl-3 version, however, the test suite is failing (Failed 56/3396
tests).
The patch is linked in the JIRA ticket as well:
https://jira.mariadb.org/browse/MDEV-25785

On Wed, Oct 6, 2021 at 12:21 PM Lukas Javorsky  wrote:

> Hi Sergei,
>
> We have some very simple patch which helps MariaDB to build with the
> openssl-3 version, however, the test suite is failing (Failed 56/3396
> tests).
> So that raises a flag, that something may not work as expected, and we
> want to figure it out.
>
> Speaking of, what's your status on the openssl-3 support in MariaDB Server?
> Do you have some WIP or estimate in which major version this could be
> expected?
>
> Thank you
> Lukas
>
> On Tue, Oct 5, 2021 at 4:41 PM Sergei Golubchik  wrote:
>
>> Hi, Lukas!
>>
>> Do you use some patches to make mariadb compile with OpenSSL-3?
>> I thought it won't work out of the box.
>>
>> /Sergei
>>
>> On Oct 05, Lukas Javorsky wrote:
>> > Hi guys,
>> >
>> > I've found few particular tests from the test suite that is failing due
>> to
>> > the OpenSSL-3 version and I want to separate them and give them to the
>> > OpenSSL team in Red Hat.
>> >
>> > The idea behind this is to give them a set of commands/config options
>> > (reproducer) for each test and they will try to find out what's the
>> exact
>> > problem there and help us develop the patch.
>> >
>> > The tests that I'm interested in are (there are more of them, I just
>> need
>> > to see how to reproduce few of them and I'll do the same for the other
>> ones
>> > as well):
>> > encryption.corrupted_during_recovery
>> > encryption.innodb-checksum-algorithm
>> > encryption.innodb-discard-import-change
>> > encryption.innodb_page_encryption_key_change
>> > binlog_encryption.rpl_loaddata_local
>> > binlog_encryption.rpl_parallel_free_deferred_event
>> >
>> > IMPORTANT: These tests are failing only with the 'cbc' cipher in use,
>> the
>> > 'ctr' is passing.
>> >
>> > Could you please help me with how to make a reproducer for each test,
>> so I
>> > can create them and give them to the OpenSSL team?
>> >
>> > Thank you for any help you can provide
>> > Lukas
>> >
>> >
>> > --
>> > S pozdravom/ Best regards
>> >
>> > Lukáš Javorský
>> >
>> > Associate Software Engineer, Core service - Databases
>> >
>> > Red Hat <https://www.redhat.com>
>> >
>> > Purkyňova 115 (TPB-C)
>> >
>> > 612 00 Brno - Královo Pole
>> >
>> > ljavo...@redhat.com
>> > <https://www.redhat.com>
>>
>> Regards,
>> Sergei
>> VP of MariaDB Server Engineering
>> and secur...@mariadb.org
>>
>>
>
> --
> S pozdravom/ Best regards
>
> Lukáš Javorský
>
> Associate Software Engineer, Core service - Databases
>
> Red Hat <https://www.redhat.com>
>
> Purkyňova 115 (TPB-C)
>
> 612 00 Brno - Královo Pole
>
> ljavo...@redhat.com
> <https://www.redhat.com>
>


-- 
S pozdravom/ Best regards

Lukáš Javorský

Associate Software Engineer, Core service - Databases

Red Hat <https://www.redhat.com>

Purkyňova 115 (TPB-C)

612 00 Brno - Královo Pole

ljavo...@redhat.com
<https://www.redhat.com>
___
Mailing list: https://launchpad.net/~maria-discuss
Post to : maria-discuss@lists.launchpad.net
Unsubscribe : https://launchpad.net/~maria-discuss
More help   : https://help.launchpad.net/ListHelp

[Maria-discuss] How can I separate one test from mysql_test

2021-10-05 Thread Lukas Javorsky

Hi guys,

I've found few particular tests from the test suite that is failing due to
the OpenSSL-3 version and I want to separate them and give them to the
OpenSSL team in Red Hat.

The idea behind this is to give them a set of commands/config options
(reproducer) for each test and they will try to find out what's the exact
problem there and help us develop the patch.

The tests that I'm interested in are (there are more of them, I just need
to see how to reproduce few of them and I'll do the same for the other ones
as well):
encryption.corrupted_during_recovery
encryption.innodb-checksum-algorithm
encryption.innodb-discard-import-change
encryption.innodb_page_encryption_key_change
binlog_encryption.rpl_loaddata_local
binlog_encryption.rpl_parallel_free_deferred_event

IMPORTANT: These tests are failing only with the 'cbc' cipher in use, the
'ctr' is passing.

Could you please help me with how to make a reproducer for each test, so I
can create them and give them to the OpenSSL team?

Thank you for any help you can provide
Lukas


-- 
S pozdravom/ Best regards

Lukáš Javorský

Associate Software Engineer, Core service - Databases

Red Hat 

Purkyňova 115 (TPB-C)

612 00 Brno - Královo Pole

ljavo...@redhat.com

___
Mailing list: https://launchpad.net/~maria-discuss
Post to : maria-discuss@lists.launchpad.net
Unsubscribe : https://launchpad.net/~maria-discuss
More help   : https://help.launchpad.net/ListHelp

[Maria-discuss] OpenSSL 3.0 support

2021-06-17 Thread Lukas Javorsky

Hi,

We've created two Jira tickets for the OpenSSL 3.0 support, however, we
didn't really get a response or any detailed information from you about it.

Connector-c: https://jira.mariadb.org/browse/CONC-503
Server: https://jira.mariadb.org/browse/MDEV-25785

It's our big concern to support this ASAP because we are aiming to support
OpenSSL version 3.0 in the RHEL-9 which is coming soon.

Our mission in RHEL-9 is to aim for the newest software version because we
are going to support this OS for more than 10 years, and the major changes
should be done in the beginning.

We would like to know your opinion about this so we can maybe try to help
you in some way.

Please let us know what you think about it.

Thank you and have a nice day

-- 
S pozdravom/ Best regards

Lukáš Javorský

Associate Software Engineer, Core service - Databases

Red Hat 

Purkyňova 115 (TPB-C)

612 00 Brno - Královo Pole

ljavo...@redhat.com

___
Mailing list: https://launchpad.net/~maria-discuss
Post to : maria-discuss@lists.launchpad.net
Unsubscribe : https://launchpad.net/~maria-discuss
More help   : https://help.launchpad.net/ListHelp

Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

2021-03-22 Thread Lukas Javorsky

Hi Sergei,

I'm going to create the feature requests as you mentioned.

> Neither password hashing nor certificate fingerprinting, as far as I can

> see, use MD5.

Yes, I know, that's why I used "OR". I was just double checking. SHA-1 is
used though.

However, we don't just have the checkbox for this.

The computing power is really skyrocketing every year, and we should be
prepared rather than waiting for it.

That's why we are doing extra steps to prevent any security issues that may
be caused by weak algorithms.

And since MariaDB is pretty big and widely used software we need to protect
our customers against these types of attacks.


I will try to provide as many information as I can in the following feature
requests at jira.mariadb.com

Thank you

Lukas


On Fri, Mar 19, 2021 at 2:11 PM Sergei Golubchik  wrote:

> Hi, Lukas!
>
> On Mar 19, Lukas Javorsky wrote:
> >
> > The main functions that are important for us is the password hashing,
> > certificate fingerprinting in mariadb-connector-c which uses SHA-1 or
> > MD5
>
> Neither password hashing nor certificate fingerprinting, as far as I can
> see, use MD5.
>
> Password hashing, indeed, uses SHA-1. It's still secure, as far as I
> know, but I understand that you're likely just need a checkbox "no
> SHA-1 inside". Please, create a feature request at jira.mariadb.org for
> that (use type=task, project=MDEV).
>
> Certificate fingerprinting in mariadb-connector-c also uses SHA-1.
> If think it might make sense to allow other digest algorithms too.
> Please, create a feature request at jira.mariadb.org (project=CONC).
>
> Regards,
> Sergei
> VP of MariaDB Server Engineering
> and secur...@mariadb.org
>
>

-- 
S pozdravom/ Best regards

Lukáš Javorský

Associate Software Engineer, Core service - Databases

Red Hat <https://www.redhat.com>

Purkyňova 115 (TPB-C)

612 00 Brno - Královo Pole

ljavo...@redhat.com
<https://www.redhat.com>
___
Mailing list: https://launchpad.net/~maria-discuss
Post to : maria-discuss@lists.launchpad.net
Unsubscribe : https://launchpad.net/~maria-discuss
More help   : https://help.launchpad.net/ListHelp

Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

2021-03-19 Thread Lukas Javorsky

> What do you mean by "upgrade SHA-1 and MD5 algorithms in MariaDB" ?

Sorry for misleading terminology Sergei.
What I meant was to change this algorithm to something newer, and most
importantly more secure.

There is an article <https://eprint.iacr.org/2020/014> about breaking the
SHA-1 which is dated to 2020 and it explains the vulnerability of this
algorithm.

RHEL also adheres to Government standards like FIPS 140-2, which permits
the use of SHA-1 for verification of legacy signatures.
That may not be the case of mariadb, however, our goal is to
eliminate every possible weakness of the algorithms used in packages.

The main functions that are important for us is the password hashing,
certificate fingerprinting in mariadb-connector-c which uses SHA-1 or MD5

Please let me know what you think.
Lukas

On Fri, Mar 19, 2021 at 1:48 AM Daniel Black  wrote:

> md5:
>
> extra/mariabackup/xbcloud.cc - old bit, however for old reasons used md5
> as a checksum on a storage format. I'm think can be removed before RHEL9
>
> In SQL there is a MD5 function, we can't just replace that as it will
> break user applications.
>
> sha1:
>
> also a SQL function.
>
> plugin/file_key_management/parser.cc is a digest on the keys, however if
> this is a point of attack you've lost already. I suspect this can be fixed.
>
> sha1 forms part of the mysql_native_password implementation, there's no
> known vulnerabilities in this due to its sha1 usage.
>
> https://mariadb.com/kb/en/authentication-plugin-ed25519/ is available,
> however not everything supports in on the client side.
> A mistake was also made (ref MDEV-19217), so a v2 might be needed.
>
> As things like php have mysqlnd and are more strictly tied to MySQL rather
> than MariaDB compatibility so adding MariaDB authentication
> plugins hasn't been accepted yet.
>
> On SQL functions, is this going to be a problem? or would a compile option
> that issues a user SQL warning if they are used be useful?
>
>
>
>
> On Thu, Mar 18, 2021 at 2:29 PM Eliezer Croitoru 
> wrote:
>
>> Hey Sergei,
>>
>> I cannot speak in the name of Lukas but I assume that he is talking about
>> the payload signature of RPM files.
>> Technically speaking SHA1 and MD5 can collide but only to specific file
>> sizes.
>> It's not that simple to create an RPM in a size of 10+ MB which will
>> provide the exact same
>> functionality ie DB which will include errors and/or other things.
>>
>> I know it's pretty simple to upgrade the signature so I do not find any
>> reason to not add a SHA256 sig.
>>
>> All The Bests,
>> Eliezer
>>
>> 
>> Eliezer Croitoru
>> Tech Support
>> Mobile: +972-5-28704261
>> Email: ngtech1...@gmail.com
>> Zoom: Coming soon
>>
>>
>> -Original Message-
>> From: Maria-discuss > gmail@lists.launchpad.net> On Behalf Of Sergei Golubchik
>> Sent: Wednesday, March 17, 2021 5:24 PM
>> To: Lukas Javorsky 
>> Cc: maria-discuss@lists.launchpad.net
>> Subject: Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5
>> algorithms in Mariadb-10.5?
>>
>> Hi, Lukas!
>>
>> What do you mean by "upgrade SHA-1 and MD5 algorithms in MariaDB" ?
>>
>> Regards,
>> Sergei
>> VP of MariaDB Server Engineering
>> and secur...@mariadb.org
>>
>> On Mar 17, Lukas Javorsky wrote:
>> > Hi,
>> >
>> > In RHEL-9 we are deprecating, old SHA-1 and MD5 and that's why I want to
>> > ask you if there is any chance that upstream is going to change it, or
>> we
>> > should do it downstream.
>> >
>> > These algorithms are no longer considered as safe, so it may be a good
>> > thing to upgrade them.
>> >
>> > AFAIK mariadb uses these algorithms in *mariadb* and
>> *mariadb-connector-c.*
>> >
>> > Also if you have no intention to change it, is there any chance you
>> could
>> > help us somehow. Maybe point out what we should be aware of.
>> >
>> > Please let me know what you think
>> >
>> > Lukas
>> >
>> > --
>> > S pozdravom/ Best regards
>> >
>> > Lukáš Javorský
>> >
>> > Associate Software Engineer, Core service - Databases
>> >
>> > Red Hat <https://www.redhat.com>
>> >
>> > Purkyňova 115 (TPB-C)
>> >
>> > 612 00 Brno - Královo Pole
>> >
>> > ljavo...@redhat.com
>> > <https://www.redhat.com>
>>
>> ___
>> Mailing list: https://launchpad.ne

[Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

2021-03-17 Thread Lukas Javorsky

Hi,

In RHEL-9 we are deprecating, old SHA-1 and MD5 and that's why I want to
ask you if there is any chance that upstream is going to change it, or we
should do it downstream.

These algorithms are no longer considered as safe, so it may be a good
thing to upgrade them.

AFAIK mariadb uses these algorithms in *mariadb* and *mariadb-connector-c.*

Also if you have no intention to change it, is there any chance you could
help us somehow. Maybe point out what we should be aware of.

Please let me know what you think

Lukas

-- 
S pozdravom/ Best regards

Lukáš Javorský

Associate Software Engineer, Core service - Databases

Red Hat 

Purkyňova 115 (TPB-C)

612 00 Brno - Královo Pole

ljavo...@redhat.com

___
Mailing list: https://launchpad.net/~maria-discuss
Post to : maria-discuss@lists.launchpad.net
Unsubscribe : https://launchpad.net/~maria-discuss
More help   : https://help.launchpad.net/ListHelp

Re: [Maria-discuss] Why does MariaDB needs SELinux capability for setuid/setgid?

2021-03-16 Thread Lukas Javorsky

>1. /etc/my.cnf.d/mariadb-server.cnf
>contains log-error=/var/log/mariadb/mariadb.log
>
>Without log-error set, the service will output to stdout/error and be
captured by journald. Would this be better packaging for you?
>
>This would help your outstanding rhbz on logrotation that I also haven't
fixed upstream.

We have a lot of tests built on top of this behavior, also there are some
known issues with logrotate, so we are not changing at this time, maybe it
will be some future feature.

>2. exec names now mariadb
>
>in 10.4 we put mariadb names on executables a symlinks to mysql named
binaries.
>
>in 10.5 this was reverse.
>
>This is a slow move to phase out these mysql names that I hope you can
help with.
>
>e.g. (10.4)
>ls -al /usr/libexec/mariadbd
>lrwxrwxrwx. 1 root root 6 Nov 12 11:44 /usr/libexec/mariadbd -> mysqld
>
>What would help significantly is if the mariadb names got into the selinux
fc file.
>
>In
https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/mysql.fc,
I'm
>
>With this the executables in the service could change.

I have created PR today and selinux is already handling it:
https://github.com/fedora-selinux/selinux-policy/pull/641

>2. mariadb.service
>
>/usr/libexec/mysql-check-socket
>
>is excessive - recent systemd won't allow a second process in the same
cgroup when it has SendSIGKILL=no
>(https://github.com/systemd/systemd/issues/8630)
>
>On other Start{Pre,Post} in the service would you consider changing the
name to mariadb?
>Documentation="man:mariadbd(8)"
>
>There's a fair few comments in
https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in
and
its history that are probably relevant.

What are you suggesting?

Thanks for help
Lukas

On Tue, Mar 16, 2021 at 1:13 PM Daniel Black  wrote:

>
>
> On Mon, Mar 15, 2021 at 10:31 PM Lukas Javorsky 
> wrote:
>
>> So IIRC, we don't need the setuid/setgid capability in Fedora/RHEL OS
>> because we use systemd services right?
>>
>
> correct
>
> Seems using mariadb memlock requires a LimitMEMLOCK too which needs
> extended documentation in https://mariadb.com/kb/en/systemd/.
>
> Packaging / selinux related:
>
> 1. /etc/my.cnf.d/mariadb-server.cnf
> contains log-error=/var/log/mariadb/mariadb.log
>
> Without log-error set, the service will output to stdout/error and be
> captured by journald. Would this be better packaging for you?
>
> This would help your outstanding rhbz on logrotation that I also haven't
> fixed upstream.
>
> 2. exec names now mariadb
>
> in 10.4 we put mariadb names on executables a symlinks to mysql named
> binaries.
>
> in 10.5 this was reverse.
>
> This is a slow move to phase out these mysql names that I hope you can
> help with.
>
> e.g. (10.4)
> ls -al /usr/libexec/mariadbd
> lrwxrwxrwx. 1 root root 6 Nov 12 11:44 /usr/libexec/mariadbd -> mysqld
>
> What would help significantly is if the mariadb names got into the selinux
> fc file.
>
> In
> https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/mysql.fc,
> I'm
>
> With this the executables in the service could change.
>
> 2. mariadb.service
>
> /usr/libexec/mysql-check-socket
>
> is excessive - recent systemd won't allow a second process in the same
> cgroup when it has SendSIGKILL=no
> (https://github.com/systemd/systemd/issues/8630)
>
> On other Start{Pre,Post} in the service would you consider changing the
> name to mariadb?
> Documentation="man:mariadbd(8)"
>
> There's a fair few comments in
> https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in
> and its history that are probably relevant.
>
> selinux and the mariadb PAM probably need a test/investigation too.
>
> Happy to help if I can.
>
> Thanks for clarifying
>> Lukas
>>
>> On Sun, Mar 14, 2021 at 12:42 AM Daniel Black  wrote:
>>
>>>
>>> This was relaxed in
>>> https://github.com/MariaDB/server/commit/27e6fd9a5968 where the setuid
>>> is only tried if mariadbd --user is specified.
>>>
>>> This isn't the case with systemd service files (which set the user)
>>> https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in#L50
>>> where
>>> the CAP_IPC_LOCK capability gives the user the memlock rather than
>>> setuid.
>>>
>>> So maybe it is safe to drop the mysqld_t setgid setuid from the policy
>>> for the common case of a user running systemd service which also works if
>>> they are using memlock.
>>>
>>> While we are looking at the list, assuming sys_resource maps to
>>

Re: [Maria-discuss] Why does MariaDB needs SELinux capability for setuid/setgid?

2021-03-15 Thread Lukas Javorsky

So IIRC, we don't need the setuid/setgid capability in Fedora/RHEL OS
because we use systemd services right?

Thanks for clarifying
Lukas

On Sun, Mar 14, 2021 at 12:42 AM Daniel Black  wrote:

>
> This was relaxed in https://github.com/MariaDB/server/commit/27e6fd9a5968
> where the setuid is only tried if mariadbd --user is specified.
>
> This isn't the case with systemd service files (which set the user)
> https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in#L50
> where
> the CAP_IPC_LOCK capability gives the user the memlock rather than setuid.
>
> So maybe it is safe to drop the mysqld_t setgid setuid from the policy for
> the common case of a user running systemd service which also works if they
> are using memlock.
>
> While we are looking at the list, assuming sys_resource maps to
> CAP_SYS_RESOURCE that would only be raising the rlimit nofile, which is
> done in the systemd service.
> in the server code this is capped anyway -
> https://github.com/MariaDB/server/blob/10.5/mysys/my_file.c#L42
>
> sys_nice - seems to be related to a innodb setpriority(PRIO_PROCESS, tid,
> -20), which isn't fatal if it doesn't succeed. no other CAP_SYS_NICE are
> used.
> Maybe we should have
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitNICE=
> instead. Advice welcome.
>
> allow mysqld_t self:shm create_shm_perms - not required in 10.5+ - shm no
> longer used for large pages - anon mmap is used.
>
> rw_fifo_file_perms - one test case created a fifo -
> mysql-test/main/log_errchk.test, the server has some code to handle if log
> files externally created are fifos, but it doesn't create them itself.
> galera code mentions fifo's a lot, however its an internal structure.
> Script
> https://github.com/MariaDB/server/blob/10.5/scripts/wsrep_sst_mariabackup.sh#L454
> mentios fifos, however this
> appears to just be using pv to rate limit.
>
> https://github.com/MariaDB/server/pull/1553 is probably needed too.
>
> I see
> https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/mysql.te#L106
> probably covers https://github.com/MariaDB/server/pull/1131.
>
>
>
>
> On Fri, Mar 12, 2021 at 10:14 PM Sergei Golubchik 
> wrote:
>
>> Hi, Lukas!
>>
>> > I found that setuid/setgid is used inside mysqld_safe_helper
>> > (mariadbd-safe-helper).
>> > Are there any other cases when MariaDB uses these functions?
>>
>> Yes, in the server. If the server is started with --memlock it does
>>
>>   mlockall(MCL_CURRENT)
>>
>> to prevent itself from being swapped. This needs root, and the server
>> uses setuid/setgid to drop root privileges after mlockall.
>>
>> Regards,
>> Sergei
>> VP of MariaDB Server Engineering
>> and secur...@mariadb.org
>>
>> ___
>> Mailing list: https://launchpad.net/~maria-discuss
>> Post to : maria-discuss@lists.launchpad.net
>> Unsubscribe : https://launchpad.net/~maria-discuss
>> More help   : https://help.launchpad.net/ListHelp
>>
>

-- 
S pozdravom/ Best regards

Lukáš Javorský

Associate Software Engineer, Core service - Databases

Red Hat 

Purkyňova 115 (TPB-C)

612 00 Brno - Královo Pole

ljavo...@redhat.com

___
Mailing list: https://launchpad.net/~maria-discuss
Post to : maria-discuss@lists.launchpad.net
Unsubscribe : https://launchpad.net/~maria-discuss
More help   : https://help.launchpad.net/ListHelp

[Maria-discuss] Why does MariaDB needs SELinux capability for setuid/setgid?

2021-03-12 Thread Lukas Javorsky

Hi guys,

I'm looking into SELinux in Fedora's MariaDB package and I can see that we
have two types in MariaDB that have setuid/setgid capability.

1st:
https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/mysql.te#L70

2nd:
https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/mysql.te#L199

My question is, does mysqld_t need to have this capability?

I found that setuid/setgid is used inside mysqld_safe_helper
(mariadbd-safe-helper).
Are there any other cases when MariaDB uses these functions?

Thank you for letting me know
Lukas

-- 
S pozdravom/ Best regards

Lukáš Javorský

Associate Software Engineer, Core service - Databases

Red Hat 

Purkyňova 115 (TPB-C)

612 00 Brno - Královo Pole

ljavo...@redhat.com

___
Mailing list: https://launchpad.net/~maria-discuss
Post to : maria-discuss@lists.launchpad.net
Unsubscribe : https://launchpad.net/~maria-discuss
More help   : https://help.launchpad.net/ListHelp

Re: [Maria-discuss] How can I separate one test from mysql_test

Re: [Maria-discuss] How can I separate one test from mysql_test

Re: [Maria-discuss] How can I separate one test from mysql_test

Re: [Maria-discuss] How can I separate one test from mysql_test

[Maria-discuss] How can I separate one test from mysql_test

[Maria-discuss] OpenSSL 3.0 support

Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

[Maria-discuss] Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

Re: [Maria-discuss] Why does MariaDB needs SELinux capability for setuid/setgid?

Re: [Maria-discuss] Why does MariaDB needs SELinux capability for setuid/setgid?

[Maria-discuss] Why does MariaDB needs SELinux capability for setuid/setgid?

12 matches

Site Navigation

Mail list logo

Footer information