From df7e52814d8d578a948e8e7b15404e982971e5d1 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Thu, 14 May 2020 20:29:59 +0300 Subject: [PATCH 1/3] nixos/mysql: enable sandbox mode --- nixos/doc/manual/release-notes/rl-2009.xml | 16 ++++++++++ nixos/modules/services/databases/mysql.nix | 35 ++++++++++++++++++---- 2 files changed, 46 insertions(+), 5 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index 8bf9c16e6f8a..a7bf189c417c 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -89,6 +89,22 @@ services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' When MariaDB data directory is just upgraded (not initialized), the users are not created or modified. + + + MySQL server is now started with additional systemd sandbox/hardening options for better security. The PrivateTmp, ProtectHome, and ProtectSystem options + may be problematic when MySQL is attempting to read from or write to your filesystem anywhere outside of its own state directory, for example when + calling LOAD DATA INFILE or SELECT * INTO OUTFILE. In this scenario a variant of the following may be required: + - allow MySQL to read from /home and /tmp directories when using LOAD DATA INFILE + +systemd.services.mysql.serviceConfig.ProtectHome = lib.mkForce "read-only"; + + - allow MySQL to write to custom folder /var/data when using SELECT * INTO OUTFILE, assuming the mysql user has write + access to /var/data + +systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ]; + + + diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix index 51885881cf73..0052094697b2 100644 --- a/nixos/modules/services/databases/mysql.nix +++ b/nixos/modules/services/databases/mysql.nix @@ -367,11 +367,7 @@ in ''; serviceConfig = { - User = cfg.user; - Group = "mysql"; Type = if hasNotify then "notify" else "simple"; - RuntimeDirectory = "mysqld"; - RuntimeDirectoryMode = "0755"; Restart = "on-abort"; RestartSec = "5s"; # The last two environment variables are used for starting Galera clusters @@ -452,7 +448,7 @@ in cat ${toString cfg.initialScript} | ${mysql}/bin/mysql -u root -N ''} - rm /tmp/mysql_init + rm ${cfg.dataDir}/mysql_init fi ${optionalString (cfg.ensureDatabases != []) '' @@ -476,6 +472,35 @@ in # ensureDatbases & ensureUsers depends on this script being run as root # when the user has secured their mysql install "+${setupScript}"; + # User and group + User = cfg.user; + Group = "mysql"; + # Runtime directory and mode + RuntimeDirectory = "mysqld"; + RuntimeDirectoryMode = "0755"; + # Access write directories + ReadWritePaths = [ cfg.dataDir ]; + # Capabilities + CapabilityBoundingSet = ""; + # Security + NoNewPrivileges = true; + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; }; }; From a9d5f088b56c80e32ae7cdaaa4391b19e82fe6fc Mon Sep 17 00:00:00 2001 From: Izorkin Date: Thu, 14 May 2020 20:32:19 +0300 Subject: [PATCH 2/3] nixos/mysql: update tmpfiles rules --- nixos/modules/services/databases/mysql.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix index 0052094697b2..1caedf1fc5fb 100644 --- a/nixos/modules/services/databases/mysql.nix +++ b/nixos/modules/services/databases/mysql.nix @@ -334,7 +334,8 @@ in environment.etc."my.cnf".source = cfg.configFile; systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 0700 ${cfg.user} mysql -" + "d '${cfg.dataDir}' 0700 ${cfg.user} mysql - -" + "z '${cfg.dataDir}' 0700 ${cfg.user} mysql - -" ]; systemd.services.mysql = let From eed170d9ab643424d0771b6b4fea771e138e901b Mon Sep 17 00:00:00 2001 From: Izorkin Date: Thu, 14 May 2020 20:34:14 +0300 Subject: [PATCH 3/3] nixos/mysql: fix init databases on first start in sandbox mode --- nixos/modules/services/databases/mysql.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix index 1caedf1fc5fb..2e8c5b7640b2 100644 --- a/nixos/modules/services/databases/mysql.nix +++ b/nixos/modules/services/databases/mysql.nix @@ -358,12 +358,12 @@ in preStart = if isMariaDB then '' if ! test -e ${cfg.dataDir}/mysql; then ${mysql}/bin/mysql_install_db --defaults-file=/etc/my.cnf ${mysqldOptions} - touch /tmp/mysql_init + touch ${cfg.dataDir}/mysql_init fi '' else '' if ! test -e ${cfg.dataDir}/mysql; then ${mysql}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions} --initialize-insecure - touch /tmp/mysql_init + touch ${cfg.dataDir}/mysql_init fi ''; @@ -395,7 +395,7 @@ in done ''} - if [ -f /tmp/mysql_init ] + if [ -f ${cfg.dataDir}/mysql_init ] then ${concatMapStrings (database: '' # Create initial databases