-
s.sujatha authored
BINARY LOG TO WORLD Problem: If binary logs are streamed from remote server with mysqlbinlog by default they are written with more privileges than their origin (660 vs 664). This allows world to read the binary logs which is not possible on MySQL binary logs. Analysis: In MySQL server process's UMASK is set 0006 this causes the server side binary logs to be created with file permission 660. Sever side umask is calculated as shown below. umask(((~my_umask) & 0666)). my_umask=660 (110 110 000) ~my_umask= 001 001 111 066 in binary= 000 110 110 (~my_umask) & 0666=000 000 110 --> umask(006). If user specified mode_t=660. umask= 006. Final file permissions are mode_t & (~umask). mode_t in binary= 110 110 000 umask in binary= 000 000 110 ~umask= 111 111 001 mode_t & (~umask)= 110 110 000 (660) Where as for mysqlbinlog client tool it doesnot have any umask set for itself. Hence it depends on the current system terminal's umask.i.e if the umask is 002 files are getting created with 664 permission. Fix: The client mysqlbinlog tool should be made independent of system's terminal umask. Hence umask similar to server has been added.
s.sujatha authoredBINARY LOG TO WORLD Problem: If binary logs are streamed from remote server with mysqlbinlog by default they are written with more privileges than their origin (660 vs 664). This allows world to read the binary logs which is not possible on MySQL binary logs. Analysis: In MySQL server process's UMASK is set 0006 this causes the server side binary logs to be created with file permission 660. Sever side umask is calculated as shown below. umask(((~my_umask) & 0666)). my_umask=660 (110 110 000) ~my_umask= 001 001 111 066 in binary= 000 110 110 (~my_umask) & 0666=000 000 110 --> umask(006). If user specified mode_t=660. umask= 006. Final file permissions are mode_t & (~umask). mode_t in binary= 110 110 000 umask in binary= 000 000 110 ~umask= 111 111 001 mode_t & (~umask)= 110 110 000 (660) Where as for mysqlbinlog client tool it doesnot have any umask set for itself. Hence it depends on the current system terminal's umask.i.e if the umask is 002 files are getting created with 664 permission. Fix: The client mysqlbinlog tool should be made independent of system's terminal umask. Hence umask similar to server has been added.
Loading