[Bug 244406] Re: File load data infile'file-name' fails
Alex Beels
arbeels-ossf at yahoo.com
Fri Sep 10 04:22:37 BST 2010
A more complete solution:
1. Pick a directory from which mysqld should be allowed to load files.
Perhaps somewhere writable only by your DBA account and readable only by
members of group mysql?
2. sudo aa-complain /usr/sbin/mysqld
3. Try to load a file from your designated loading directory: 'load data
infile '/var/opt/mysql-load/import.csv' into table ...'
4. sudo aa-logprof
aa-logprof will identify the access violation triggered by the 'load data infile ...' query, and interactively walk you through allowing access in the future. You probably want to choose Glob from the menu, so that you end up with read access to '/var/opt/mysql-load/*'. Once you have selected the right (glob) pattern, choose Allow from the menu to finish up. (N.B. Do *not* enable the repository when prompted to do so the first time you run aa-logprof, unless you really understand the whole apparmor process.)
5. sudo aa-enforce /usr/sbin/mysqld
6. Try to load your file again. It should work this time.
There are some advantages to this approach:
John's workaround keeps apparmor disabled for mysqld globally. That is
overkill, and should be a security problem. (Everything in your LAMP
stack should be tied down as securely as possible, because it is exposed
to the outside world and will be attacked. This is surely the reason
why mysqld is restricted via apparmor in the first place. Of course,
MySQL has uses outside of LAMP, but we're talking about policy here, not
individual installations.)
The alternative (that I was using before I found this page and learned
about apparmor) is to always load from somewhere in /var/lib/mysql/,
where mysql has read privileges. This is not ideal either, because it
corrupts a directory that should be managed entirely by mysql and dpkg,
and it requires root privileges to queue up a data file for loading.
With the apparmor exception described above, your DBA does not need to
be granted any special privileges.
Comments, anyone? I'm a newbie to both MySQL and apparmor, so
corrections are welcome...
--
File load data infile'file-name' fails
https://bugs.launchpad.net/bugs/244406
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-dfsg-5.0 in ubuntu.
More information about the Ubuntu-server-bugs
mailing list