Ubuntu
php5 package

automated tests run during build fail due to apparmor protections for mysqld unless build is done in /tmp

Bug #638401 reported by Clint Byrum
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php5 (Ubuntu)
Fix Released
High
Clint Byrum

Bug Description

Binary package hint: php5

The automated tests that are run during the build process try to run mysql relative to the build directory.

Because of the apparmor profile, when mysql-server is installed, /usr/sbin/mysqld is only allowed arbitrary access under temp dirs (/tmp, /var/tmp, etc).

Also bug #375371 proposes to go even further and restrict that to a dir owned and only writable by mysql.

Proposed solution is to copy the necessary pieces of mysqld into the build directory and run them as part of the build step. This will prevent the apparmor profile for /usr/sbin/mysqld from being matched, and will allow the proposed security enhancement to go forward.

I have tested this and it seems to work fine on maverick. Will push up a branch when all tests complete.

Related branches

lp:~clint-fewbar/ubuntu/maverick/php5/fix-mysql-tests-apparmor
Mathias Gug: Pending requested
Diff: 71 lines (+23/-2)
3 files modified
debian/changelog (+8/-0)
debian/rules (+2/-0)
debian/setup-mysql.sh (+13/-2)
lp:ubuntu/maverick/php5
lp:~clint-fewbar/ubuntu/natty/php5/merge-5.3.3-3
Clint Byrum (community): Disapprove
Chuck Short: Pending requested
Diff: 925 lines (+381/-160)
11 files modified
debian/changelog (+63/-0)
debian/control (+140/-113)
debian/maxlifetime (+1/-1)
debian/patches/CVE-2010-2950.patch (+2/-7)
debian/patches/CVE-2010-3710.patch (+35/-0)
debian/patches/fix-ftbfs-and-dso.patch (+55/-0)
debian/patches/php-5.3.4-ini.patch (+30/-0)
debian/patches/php_crypt_revamped.patch (+37/-23)
debian/patches/series (+5/-4)
debian/patches/use_system_crypt_fixes.patch (+11/-8)
debian/rules (+2/-4)
Revision history for this message
Thierry Carrez (ttx) wrote :

Clint: is this really about php5 ? or about mysql ?

Changed in php5 (Ubuntu):
assignee: nobody → Clint Byrum (clint-fewbar)
importance: Undecided → High
status: New → Triaged
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

This is entirely about php5's build tests not working as we add restrictions in the apparmor profile of mysql.

While it was introduced by a change in mysql's behavior, it is something we'll have to fix in PHP's build process.

Mathias Gug (mathiaz)
Changed in php5 (Ubuntu):
status: Triaged → In Progress
Mathias Gug (mathiaz)
Changed in php5 (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.