Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 200741 - emerge --config =dev-db/mysql-5.0.44-r2 doesn't work with hardened toolchain
Summary: emerge --config =dev-db/mysql-5.0.44-r2 doesn't work with hardened toolchain
Status: RESOLVED WORKSFORME
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: The Gentoo Linux Hardened Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-11-29 13:26 UTC by Timo Antweiler
Modified: 2007-12-14 20:31 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
emerge --info (emerge-info,3.08 KB, text/plain)
2007-12-06 21:38 UTC, Christian Hoffmann (RETIRED)
Details
kernel .config (for PaX-related settings) (kernel.config,31.50 KB, text/plain)
2007-12-06 21:39 UTC, Christian Hoffmann (RETIRED)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Timo Antweiler 2007-11-29 13:26:38 UTC
I'm trying to install the latest MySQL Version 5.0.44-r2. I changed my profile to a hardened profile and did a "emerge world -uDN" after it so that gcc, glibc etc. will be build with hardened USE flag. After upgrading with hardened profile it is not possible to configure MySQL with "emerge --config =dev-db/mysql-5.0.44-r2". 

Error message:

timotest ~ # emerge --config =dev-db/mysql-5.0.44-r2


Configuring pkg...

 * MySQL MY_DATADIR is /var/lib/mysql
 * Previous datadir found, it's YOUR job to change
 * ownership and take care of it
 * Creating the mysql database and setting proper
 * permissions on it ...
 * Insert a password for the mysql 'root' user
 * Avoid ["'\_%] characters in the password
    >
 * Retype the password
    >
 *
 * ERROR: dev-db/mysql-5.0.44-r2 failed.
 * Call stack:
 *      ebuild.sh, line 1682:  Called qa_call 'pkg_config'
 *      ebuild.sh, line   44:  Called pkg_config
 *      ebuild.sh, line 1383:  Called mysql_pkg_config
 *   mysql.eclass, line  828:  Called die
 * The specific snippet of code:
 *      [[ -f "${ROOT}/${MY_DATADIR}/mysql/user.frm" ]] \
 *      || die "MySQL databases not installed"
 *  The die message:
 *   MySQL databases not installed
 *
 * If you need support, post the topmost build error, and the call stack if relevant.
 * A complete build log is located at '/var/tmp/portage/dev-db/mysql-5.0.44-r2/temp/build.log'.
 * This ebuild is from an overlay: '/var/db/pkg/'
 *



When I change back to default-linux profile it works without any problems!

Reproducible: Always

Steps to Reproduce:
1.Change to hardened profile
2.emerge mysql
3.emerge --config =dev-db/mysql-5.0.44-r2 

Actual Results:  
Wasn't able to configure mysql.

Expected Results:  
Configure mysql, set root password etc.
Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2007-12-06 20:28:46 UTC
I'm affected by this problem, too. I tracked it down a bit further and got a relative short reproduce case:

(echo "use mysql;"; head -n7 /usr/share/mysql/mysql_system_tables.sql) | /usr/sbin/mysqld --bootstrap --basedir=/usr --datadir=/var/lib/mysql --skip-innodb --skip-bdb --user=mysql
Killed

(a very similar line is used in the /usr/bin/mysql_install_db script which is called by emerge --config mysql)

I have no idea how to track that down any further. No dmesg messages (I would have expected some PaX-related stuff), the problem doesn't seem to be reproducible in gdb (or I'm doing something wrong).
Any pointers would be much appreciated. =)

Also CCing mysql as they are very likely to be interested in this bug (and bug activity shows that they've never been CCed).
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-12-06 21:09:23 UTC
speaking for mysql-bugs, it doesn't break on the hardened machines (plural) where I use it, and you've provided very little information about your system, so I can't see why your system is broken.
Comment 3 Christian Hoffmann (RETIRED) gentoo-dev 2007-12-06 21:38:42 UTC
Created attachment 137903 [details]
emerge --info
Comment 4 Christian Hoffmann (RETIRED) gentoo-dev 2007-12-06 21:39:29 UTC
Created attachment 137904 [details]
kernel .config (for PaX-related settings)
Comment 5 Christian Hoffmann (RETIRED) gentoo-dev 2007-12-06 21:40:19 UTC
Sorry for not providing all necessary details in the first place... :/
Comment 6 Christian Hoffmann (RETIRED) gentoo-dev 2007-12-06 22:07:12 UTC
Some updates...
I tried copying a clean /var/lib/mysql to the hardened server which seemed to work, but then trying to do real work (import a mysql dump) MySQL got SIGKILLed again.

Also, I noticed some dmesg messages which seemed to happen while compiling MySQL:
grsec: From <myip>: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /var/tmp/portage/dev-db/mysql-5.0.44-r2/work/mysql/dbug/factorial[factorial:9736] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:9734] uid/euid:0/0 gid/egid:0/0
factorial[9743]: segfault at 00021609 eip 1754d2a5 esp 59980850 error 4
grsec: From <myip>: signal 11 sent to /var/tmp/portage/dev-db/mysql-5.0.44-r2/work/mysql/dbug/factorial[factorial:9743] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:9742] uid/euid:0/0 gid/egid:0/0
grsec: more alerts, logging disabled for 10 seconds
factorial[9740]: segfault at 00021b89 eip 108802a5 esp 587c8c30 error 4
factorial[9746]: segfault at 000218c9 eip 17fe82a5 esp 591632c0 error 4

I'm trying to compile MySQL with vanilla gcc now, as it was suggested at http://boardreader.com/t/Cluster_580836/Mysql_Cluster_crashing_on_startphase_5_183131.html
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-12-06 22:26:54 UTC
Factorial is MEANT to die. It's part of mysql's traceback generation suite.

Here's the kernel stuff from the infra hardened box where MySQL works fine (they appear to be very similar to yours, with only logging differing):
# zcat /proc/config.gz |egrep 'CONFIG_GRKERN|CONFIG_PAX'                                                                                                                                                                                                  
CONFIG_PAX=y
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_NOELFRELOCS is not set
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
# CONFIG_PAX_MEMORY_SANITIZE is not set
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MEDIUM is not set
# CONFIG_GRKERNSEC_HIGH is not set
CONFIG_GRKERNSEC_CUSTOM=y
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODSTOP=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=10
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_AUDIT_IPC=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_SHM=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
CONFIG_GRKERNSEC_TPE_INVERT=y
CONFIG_GRKERNSEC_TPE_GID=100
CONFIG_GRKERNSEC_RANDNET=y
# CONFIG_GRKERNSEC_SOCKET is not set
CONFIG_GRKERNSEC_SYSCTL=y
# CONFIG_GRKERNSEC_SYSCTL_ON is not set
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
Comment 8 vierito5 2007-12-09 23:42:23 UTC
I have the same problem with mysql.

It's a fresh hardened install. No previous DBs were installed. I think it must not be a kernel problem because I still have all PaX/GRSec disabled.
Comment 9 Timo Antweiler 2007-12-10 11:39:04 UTC
emerge --info:

Portage 2.1.3.19 (hardened/x86/2.6, gcc-3.4.6, glibc-2.6.1-r0, 2.6.22-gentoo-r9 i686)
=================================================================
System uname: 2.6.22-gentoo-r9 i686 Intel(R) Xeon(TM) CPU 2.80GHz
Timestamp of tree: Mon, 10 Dec 2007 07:16:01 +0000
app-shells/bash:     3.2_p17
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.61-r1
sys-devel/automake:  1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://mirrors.sec.informatik.tu-darmstadt.de/gentoo"
LANG="en_US.UTF-8"
LC_ALL="en_US.UTF-8"
LINGUAS="de"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync1.de.gentoo.org/gentoo-portage"
USE="acl acpi apache2 bash-completion berkdb bzip2 cgi clamav cli cracklib crypt ctype ffmpeg fortran ftp gd hardened imagemagick jpeg logrotate midi mmx mysql nagios-dns nagios-game nagios-ntp nagios-ping nagios-ssh ncurses nls nptl nptlonly pam pcre perl php pic png posix python raw readline samba session snmp sse sse2 ssl tcpd tiff unicode unzip urandom x86 xml xmlreader xorg zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de" USERLAND="GNU" VIDEO_CARDS="radeon"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY


Well I don't know what has been changed since the last updates but it works right now! I deinstalled mysql and reinstalled it afterwards. (I did that several times, changed the profile from hardened to default, from default to hardened etc.). Another thing I changed was the optimization level in the CFLAGS settings from -O3 to -O2. Maybe this helped also to get success. The posted emerge --info is now the running system and it works with these settings. If the solution was the CFLAGS settings or an update from one package.....I don't really know. 
Comment 10 solar (RETIRED) gentoo-dev 2007-12-14 20:31:38 UTC
This works for me as well.