diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-04 18:04:23 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-04 18:04:23 +0000 |
commit | 9a6158e391576f265fbd7d0da2778ecad1dbecd5 (patch) | |
tree | 1409a92dae3e99541a9283fed1d0409adb033557 /debian/mariadb-server-10.6.postinst | |
parent | Adding upstream version 1:10.6.11. (diff) | |
download | mariadb-10.6-9a6158e391576f265fbd7d0da2778ecad1dbecd5.tar.xz mariadb-10.6-9a6158e391576f265fbd7d0da2778ecad1dbecd5.zip |
Adding debian version 1:10.6.11-2.debian/1%10.6.11-2debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/mariadb-server-10.6.postinst')
-rw-r--r-- | debian/mariadb-server-10.6.postinst | 273 |
1 files changed, 273 insertions, 0 deletions
diff --git a/debian/mariadb-server-10.6.postinst b/debian/mariadb-server-10.6.postinst new file mode 100644 index 00000000..c9c5f7f7 --- /dev/null +++ b/debian/mariadb-server-10.6.postinst @@ -0,0 +1,273 @@ +#!/bin/bash +set -e + +. /usr/share/debconf/confmodule + +# Automatically set version to ease maintenance of this file +MAJOR_VER="${DPKG_MAINTSCRIPT_PACKAGE#mariadb-server-}" + +if [ -n "$DEBIAN_SCRIPT_DEBUG" ]; then set -v -x; DEBIAN_SCRIPT_TRACE=1; fi +${DEBIAN_SCRIPT_TRACE:+ echo "#42#DEBUG# RUNNING $0 $*" 1>&2 } + +export PATH=$PATH:/sbin:/usr/sbin:/bin:/usr/bin + +# This command can be used as pipe to syslog. With "-s" it also logs to stderr. +ERR_LOGGER="logger -p daemon.err -t mariadb-server-$MAJOR_VER.postinst -i" +# Specify syslog tag name so it is clear the entry came from this postinst script. +# This will make an error in a logged command immediately apparent by aborting +# the install, rather than failing silently and leaving a broken install. +set -o pipefail + +case "$1" in + configure) + # This is needed because mysql_install_db removes the pid file in /run + # and because changed configuration options should take effect immediately. + # In case the server wasn't running at all it should be ok if the stop + # script fails. I can't tell at this point because of the cleaned /run. + set +e; invoke-rc.d mariadb stop; set -e + + # An existing /etc/init.d/mysql might be on the system if there was a + # previous MySQL or MariaDB installation, since /etc/init.d files are + # considered config files and stay around even after the package is removed. + # + # The install step of this package adds a new /etc/init.d/mariadb file. As + # we also want to ensure that there are no old (and potentially outdated) + # versions of /etc/init.d/mysql we simply replace it using a copy of the + # latest 'mariadb' file. This has also the added benefit that anything that + # invokes traditional sysv init with either 'mysql' or 'mariadb' will end up + # controlling this newly installed MariaDB, and thus we maintain better + # backwards compatibility. + # + # Note that the 'Provides' line is also updated to avoid 'insserv' exiting + # on failure (when it is run by update-rc.d) because of duplicate service + # names. + if [ -f "/etc/init.d/mysql" ] && [ -f "/etc/init.d/mariadb" ] + then + # Copy init file and rename the service name and filename on the fly + sed 's/Provides: mariadb/Provides: mysql/g' /etc/init.d/mariadb > /etc/init.d/mysql + # NOTE: Number of spaces/tabs is important here! + # Confirm if the sed worked + if ! grep --quiet "Provides: mysql" /etc/init.d/mysql + then + # If not, then delete the file to avoid failures later on + rm -f /etc/init.d/mysql + echo "Warning! Failed creating a mysql named copy of mariadb init.d file" + fi + fi + + mysql_statedir=/usr/share/mysql + mysql_datadir=/var/lib/mysql + mysql_logdir=/var/log/mysql + mysql_cfgdir=/etc/mysql + mysql_upgradedir=/var/lib/mysql-upgrade + + # If the following symlink exists, it is a preserved copy the old data dir + # created by the preinst script during a upgrade that would have otherwise + # been replaced by an empty mysql dir. This should restore it. + for dir in DATADIR LOGDIR; do + + if [ "$dir" = "DATADIR" ]; then + targetdir=$mysql_datadir + else + targetdir=$mysql_logdir + fi + + savelink="$mysql_upgradedir/$dir.link" + if [ -L "$savelink" ]; then + # If the targetdir was a symlink before we upgraded it is supposed + # to be either still be present or not existing anymore now. + if [ -L "$targetdir" ]; then + rm "$savelink" + elif [ ! -d "$targetdir" ]; then + mv "$savelink" "$targetdir" + else + # this should never even happen, but just in case... + mysql_tmp=$(mktemp -d -t mysql-symlink-restore-XXXXXX) + echo "this is very strange! see $mysql_tmp/README..." >&2 + mv "$targetdir" "$mysql_tmp" + cat << EOF > "$mysql_tmp/README" + +If you're reading this, it's most likely because you had replaced /var/lib/mysql +with a symlink, then upgraded to a new version of mysql, and then dpkg +removed your symlink (see #182747 and others). The mysql packages noticed +that this happened, and as a workaround have restored it. However, because +/var/lib/mysql seems to have been re-created in the meantime, and because +we don't want to rm -rf something we don't know as much about, we are going +to leave this unexpected directory here. If your database looks normal, +and this is not a symlink to your database, you should be able to blow +this all away. + +EOF + fi + fi + rmdir $mysql_upgradedir 2>/dev/null || true + + done + + # Upgrading from mysql.com needs might have the root user as auth_socket. + # auto.cnf is a sign of a mysql install, that doesn't exist in mariadb. + # We use lsof to protect against concurrent access by mysqld (mariadb has + # its own projection). We make sure we're not doing this on a MySQL-8.0 + # directory. + # This direct update is needed to enable an authentication mechanism to + # perform mariadb-upgrade, (MDEV-22678). To keep the impact minimal, we + # skip innodb and set key-buffer-size to 0 as it isn't reused. + if [ -f "$mysql_datadir"/auto.cnf ] && [ -f "$mysql_datadir"/mysql/user.MYD ] && + [ ! lsof -nt "$mysql_datadir"/mysql/user.MYD > /dev/null ] && [ ! -f "$mysql_datadir"/undo_001 ]; then + echo "UPDATE mysql.user SET plugin='unix_socket' WHERE plugin='auth_socket';" | + mariadbd --skip-innodb --key_buffer_size=0 --default-storage-engine=MyISAM --bootstrap 2> /dev/null + fi + + # Ensure the existence and right permissions for the database and + # log files. Use mkdir option 'Z' to create with correct SELinux context. + if [ ! -d "$mysql_statedir" ] && [ ! -L "$mysql_statedir" ]; then mkdir -Z "$mysql_statedir"; fi + if [ ! -d "$mysql_datadir" ] && [ ! -L "$mysql_datadir" ]; then mkdir -Z "$mysql_datadir" ; fi + if [ ! -d "$mysql_logdir" ] && [ ! -L "$mysql_logdir" ]; then mkdir -Z "$mysql_logdir" ; fi + # When creating an ext3 jounal on an already mounted filesystem like e.g. + # /var/lib/mysql, you get a .journal file that is not modifiable by chown. + # The mysql_statedir must not be writable by the mysql user under any + # circumstances as it contains scripts that are executed by root. + set +e + chown -R 0:0 $mysql_statedir + find $mysql_datadir ! -uid "$(id -u mysql)" -print0 | xargs -0 -r chown mysql + chown -R mysql:adm $mysql_logdir + chmod 2750 $mysql_logdir + set -e + + ## Set the correct filesystem ownership for the PAM v2 plugin + # eg. /usr/lib/x86_64-linux-gnu/mysql/plugin/auth_pam_tool_dir/ + # NOTE! This is security sensitive, don't allow for a race condition. + # + # 1. Drop privileges of directory + # -> At this point only root can see and execute auth_pam_tool + chmod 0700 /usr/lib/mysql/plugin/auth_pam_tool_dir + # + # 2. Make binary setuid + # -> At this point only root can run the setuid binary so no escalation here yet + chmod 04755 /usr/lib/mysql/plugin/auth_pam_tool_dir/auth_pam_tool + # + # 3. Allow user 'mysql' to see and execute auth_pam_tool + # -> Now user mysql owns the directory and can see and execute the binary inside + # -> Since the binary is setuid, user mysql gets limited root powers here to + # run the PAM authetications, which need root (e.g. to validate passwords + # against /etc/shadow) + chown mysql /usr/lib/mysql/plugin/auth_pam_tool_dir + + # This is important to avoid dataloss when there is a removed + # mysql-server version from Woody lying around which used the same + # data directory and then somehow gets purged by the admin. + db_set mariadb-server/postrm_remove_database false || true + + # Clean up old flags before setting new one + rm -f $mysql_datadir/debian-*.flag + # Flag data dir to avoid downgrades + touch "$mysql_datadir/debian-$MAJOR_VER.flag" + + # initiate databases. Output is not allowed by debconf :-( + # This will fail if we are upgrading an existing database; in this case + # mysql_upgrade, called from the /etc/init.d/mariadb start script, will + # handle things. + # Debian: beware of the bashisms... + # Debian: can safely run on upgrades with existing databases + set +e + bash /usr/bin/mysql_install_db --rpm --cross-bootstrap --user=mysql \ + --disable-log-bin --skip-test-db 2>&1 | \ + $ERR_LOGGER + set -e + + # On new installations root user can connect via unix_socket. + # But on upgrades, scripts rely on debian-sys-maint user and + # credentials in /etc/mysql/debian.cnf + # All tools use --defaults-file=/etc/mysql/debian.cnf + # And while it's not needed for new installations, we keep using + # --defaults-file option for tools (for the sake of upgrades) + # and thus need /etc/mysql/debian.cnf to exist, even if it's empty. + # In the long run the goal is to obsolete this file. + dc=$mysql_cfgdir/debian.cnf; + if [ ! -d "$mysql_cfgdir" ]; then + install -o 0 -g 0 -m 0755 -d $mysql_cfgdir + fi + if [ ! -e "$dc" ]; then + cat /dev/null > $dc + echo "# THIS FILE IS OBSOLETE. STOP USING IT IF POSSIBLE." >>$dc + echo "# This file exists only for backwards compatibility for" >>$dc + echo "# tools that run '--defaults-file=/etc/mysql/debian.cnf'" >>$dc + echo "# and have root level access to the local filesystem." >>$dc + echo "# With those permissions one can run 'mariadb' directly" >>$dc + echo "# anyway thanks to unix socket authentication and hence" >>$dc + echo "# this file is useless. See package README for more info." >>$dc + echo "[client]" >>$dc + echo "host = localhost" >>$dc + echo "user = root" >>$dc + echo "[mysql_upgrade]" >>$dc + echo "host = localhost" >>$dc + echo "user = root" >>$dc + echo "# THIS FILE WILL BE REMOVED IN A FUTURE DEBIAN RELEASE." >>$dc + fi + # Keep it only root-readable, as it always was + chown 0:0 $dc + chmod 0600 $dc + + # If there is a real AppArmor profile, we reload it. + # If the default empty profile is installed, then we remove any old + # profile that may be loaded. + # This allows upgrade from old versions (that have an apparmor profile + # on by default) to work both to disable a default profile, and to keep + # any profile installed and maintained by users themselves. + profile="/etc/apparmor.d/usr.sbin.mariadbd" + if [ -f "$profile" ] && aa-status --enabled 2>/dev/null; then + if grep -q /usr/sbin/mariadbd "$profile" 2>/dev/null ; then + apparmor_parser -r "$profile" || true + else + echo "/usr/sbin/mariadbd { }" | apparmor_parser --remove 2>/dev/null || true + fi + fi + + # The introduction of /etc/logrotate.d/mariadb has made the old config + # obsolete and it needs to be disabled to prevent logrotate running twice. + if [ -f /etc/logrotate.d/mysql-server ] + then + mv -vf /etc/logrotate.d/mysql-server /etc/logrotate.d/mysql-server.dpkg-bak + fi + ;; + + abort-upgrade|abort-remove|abort-configure) + ;; + + triggered) + if [ -d /run/systemd/system ]; then + systemctl --system daemon-reload + elif [ -x /etc/init.d/mariadb ]; then + invoke-rc.d mariadb restart + fi + ;; + + *) + echo "postinst called with unknown argument '$1'" 1>&2 + exit 1 + ;; +esac + +db_stop # in case invoke fails + +# dh_systemd_start doesn't emit anything since we still ship /etc/init.d/mariadb. +# Thus MariaDB server is started via init.d script, which in turn redirects to +# systemctl. If we upgrade from MySQL mysql.service may be masked, which also +# means init.d script is disabled. Unmask mysql service explicitly. +# Check first that the command exists, to avoid emitting any warning messages. +if [ -x "$(command -v deb-systemd-helper)" ]; then + deb-systemd-helper unmask mysql.service > /dev/null +fi + +#DEBHELPER# + +# Modified dh_systemd_start snippet that's not added automatically +if [ -d /run/systemd/system ]; then + systemctl --system daemon-reload >/dev/null || true + deb-systemd-invoke start mariadb.service >/dev/null || true +# Modified dh_installinit snippet to only run with sysvinit +elif [ -x "/etc/init.d/mariadb" ]; then + if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ]; then + invoke-rc.d mariadb start || exit $? + fi +fi |