MySQL Bugs: #60789: not correct owners and permissions on files

Bug #60789	not correct owners and permissions on files
Submitted:	7 Apr 2011 7:53	Modified:	26 Sep 2011 21:26
Reporter:	Pavel Dobryakov	Email Updates:
Status:	Closed	Impact on me:	None
Category:	MySQL Enterprise Backup Documentation	Severity:	S1 (Critical)
Version:	3.5.2	OS:	Linux
Assigned to:		CPU Architecture:	Any

Description:
I'm testing meb to see the need to purchase a subscription 
i have test server 
show databases; 
+--------------------+ 
| Database | 
+--------------------+ 
| information_schema | 
| kontrollbase | 
| mem | 
| mysql | 
| pmatest | 
| test1 | 
+--------------------+ 

/var/lib/mysql# ls -la 
итого 25692 
drwxrwxrwx 7 mysql mysql 4096 2011-04-07 10:36 . 
drwxr-xr-x 74 root root 4096 2011-03-15 12:27 .. 
-rw-rw---- 1 mysql mysql 10485760 2011-04-07 10:36 ibdata1 
-rw-rw---- 1 mysql mysql 5242880 2011-04-07 10:36 ib_logfile0 
-rw-rw---- 1 mysql mysql 5242880 2011-04-07 10:36 ib_logfile1 
-rw-rw---- 1 mysql mysql 5242880 2011-04-07 10:36 ib_logfile2 
drwx------ 2 mysql mysql 4096 2011-04-07 10:36 kontrollbase 
drwx------ 2 mysql mysql 12288 2011-04-07 10:36 mem 
drwx------ 2 mysql root 4096 2011-04-07 10:36 mysql 
-rw-rw---- 1 mysql mysql 6 2011-04-07 10:35 pavelvdobryakov.pid 
drwx------ 2 mysql mysql 4096 2011-04-07 10:36 pmatest 
drwx------ 2 mysql mysql 4096 2011-04-07 10:36 test1 

then I do a backup of the server: 
mysqlbackup --no-timestamp --ibbackup=/usr/local/bin/ibbackup --slave-info /etc/mysql/my.cnf /home/pavel/backup 
and see in backup folder this: 
/home/pavel/backup# ls -la 
итого 10408 
drwx------ 7 root root 4096 2011-04-07 10:42 . 
drwx------ 73 pavel pavel 24576 2011-04-07 10:42 .. 
-rw-r--r-- 1 root root 292 2011-04-07 10:42 backup-my.cnf 
-rw-r--r-- 1 root root 39 2011-04-07 10:42 ibbackup_binlog_info 
-rw-r--r-- 1 root root 152 2011-04-07 10:42 ibbackup_export_variables.txt 
-rw-r----- 1 root root 4096 2011-04-07 10:42 ibbackup_logfile 
-rw-r--r-- 1 root root 51 2011-04-07 10:42 ibbackup_slave_info 
-rw-r----- 1 root root 10485760 2011-04-07 10:42 ibdata1 
drwxr-x--- 2 root root 4096 2011-04-07 10:42 kontrollbase 
drwxr-x--- 2 root root 28672 2011-04-07 10:42 mem 
drwx------ 2 root root 16384 2011-04-07 10:42 mysql 
drwxr-x--- 2 root root 4096 2011-04-07 10:42 pmatest 
drwxr-x--- 2 root root 4096 2011-04-07 10:42 test1 
already seen that the rights to the files differ 
then i do 
mysqlbackup --apply-log --ibbackup=/usr/local/bin/ibbackup /etc/mysql/my.cnf /home/pavel/backup 
and in the backup dir i see 
/home/pavel/backup# ls -la 
итого 25828 
drwx------ 7 root root 4096 2011-04-07 10:45 . 
drwx------ 73 pavel pavel 24576 2011-04-07 10:42 .. 
-rw-r--r-- 1 root root 292 2011-04-07 10:42 backup-my.cnf 
-rw-r--r-- 1 root root 39 2011-04-07 10:42 ibbackup_binlog_info 
-rw-r--r-- 1 root root 152 2011-04-07 10:42 ibbackup_export_variables.txt 
-rw-r----- 1 root root 4096 2011-04-07 10:42 ibbackup_logfile 
-rw-r--r-- 1 root root 51 2011-04-07 10:42 ibbackup_slave_info 
-rw-r----- 1 root root 10485760 2011-04-07 10:45 ibdata1 
-rw-r----- 1 root root 5242880 2011-04-07 10:45 ib_logfile0 
-rw-r----- 1 root root 5242880 2011-04-07 10:45 ib_logfile1 
-rw-r----- 1 root root 5242880 2011-04-07 10:45 ib_logfile2 
drwxr-x--- 2 root root 4096 2011-04-07 10:42 kontrollbase 
drwxr-x--- 2 root root 28672 2011-04-07 10:42 mem 
drwx------ 2 root root 16384 2011-04-07 10:42 mysql 
drwxr-x--- 2 root root 4096 2011-04-07 10:42 pmatest 
drwxr-x--- 2 root root 4096 2011-04-07 10:42 test1 
Next, I clear out the directory /var/lib/mysql 
and run 
mysqlbackup --copy-back /etc/mysql/my.cnf /home/pavel/backup 
and that's what I see in the directory /var/lib/mysql 
/var/lib/mysql# ls -la 
итого 25696 
drwxrwxrwx 7 mysql mysql 4096 2011-04-07 10:47 . 
drwxr-xr-x 74 root root 4096 2011-03-15 12:27 .. 
-rw-r--r-- 1 root root 39 2011-04-07 10:47 ibbackup_binlog_info 
-rw-r--r-- 1 root root 51 2011-04-07 10:47 ibbackup_slave_info 
-rw-r----- 1 root root 10485760 2011-04-07 10:47 ibdata1 
-rw-r----- 1 root root 5242880 2011-04-07 10:47 ib_logfile0 
-rw-r----- 1 root root 5242880 2011-04-07 10:47 ib_logfile1 
-rw-r----- 1 root root 5242880 2011-04-07 10:47 ib_logfile2 
drwx------ 2 root root 4096 2011-04-07 10:47 kontrollbase 
drwx------ 2 root root 12288 2011-04-07 10:47 mem 
drwx------ 2 root root 4096 2011-04-07 10:47 mysql 
drwx------ 2 root root 4096 2011-04-07 10:47 pmatest 
drwx------ 2 root root 4096 2011-04-07 10:47 test1 
/var/lib/mysql/mysql# ls -la 
итого 6380 
drwx------ 2 root root 4096 2011-04-07 10:47 . 
drwxrwxrwx 7 mysql mysql 4096 2011-04-07 10:47 .. 
-rw-r----- 1 root root 35 2011-04-07 10:47 backup_history.CSM 
-rw-r----- 1 root root 6410 2011-04-07 10:47 backup_history.CSV 
-rw-r----- 1 root root 71260 2011-04-07 10:47 backup_history.frm 
-rw-r----- 1 root root 35 2011-04-07 10:47 backup_progress.CSM 
-rw-r----- 1 root root 5627 2011-04-07 10:47 backup_progress.CSV 
-rw-r----- 1 root root 33370 2011-04-07 10:47 backup_progress.frm 
-rw-r----- 1 root root 8820 2011-04-07 10:47 columns_priv.frm 
-rw-r----- 1 root root 0 2011-04-07 10:47 columns_priv.MYD 
-rw-r----- 1 root root 4096 2011-04-07 10:47 columns_priv.MYI 
-rw-r----- 1 root root 9582 2011-04-07 10:47 db.frm 
-rw-r----- 1 root root 3520 2011-04-07 10:47 db.MYD 
-rw-r----- 1 root root 5120 2011-04-07 10:47 db.MYI 
-rw-r----- 1 root root 10223 2011-04-07 10:47 event.frm 
-rw-r----- 1 root root 0 2011-04-07 10:47 event.MYD 
.................... 
.................... 
.................... 

How to repeat:
write in description

Verified just as described on Ubuntu 10.04. I had to use sudo to be able to read files from default 5.1.41 MySQL instance, and (after making mysqlbackup work, eventually), got the following ownership and permissions for the backup:

openxs@ubuntu:~$ sudo ls -l backup
total 256284
-rw-r--r-- 1 root root       300 2011-04-07 16:50 backup-my.cnf
-rw-r--r-- 1 root root        18 2011-04-07 16:51 ibbackup_binlog_info
-rw-r--r-- 1 root root       152 2011-04-07 16:51 ibbackup_export_variables.txt
-rw-r----- 1 root root      3072 2011-04-07 16:51 ibbackup_logfile
-rw-r----- 1 root root 262144000 2011-04-07 16:51 ibdata1
drwx------ 2 root root      4096 2011-04-07 16:51 mysql
drwx------ 2 root root      4096 2011-04-07 16:51 sisppg
drwx------ 2 root root      4096 2011-04-07 16:51 test

Compare this to original files:

openxs@ubuntu:~$ sudo ls -l /var/lib/mysql
total 266540
-rw-r--r-- 1 mysql mysql         0 2010-07-16 14:15 debian-5.0.flag
-rw-r--r-- 1 mysql mysql         0 2011-03-01 16:46 debian-5.1.flag
-rw-rw---- 1 mysql mysql 262144000 2011-04-07 16:51 ibdata1
-rw-rw---- 1 mysql mysql   5242880 2011-04-07 16:51 ib_logfile0
-rw-rw---- 1 mysql mysql   5242880 2011-04-07 16:51 ib_logfile1
drwx------ 2 mysql mysql      4096 2011-04-07 16:51 mysql
-rw------- 1 mysql mysql         6 2010-09-03 09:11 mysql_upgrade_info
drwx------ 2 mysql mysql      4096 2011-02-24 17:49 sisppg
drwx------ 2 mysql mysql      4096 2011-04-05 12:28 test
-rw-rw---- 1 mysql mysql         4 2011-04-07 10:17 ubuntu.pid

have any plans to fix this problem?

This bug prevents our company to make the final decision to purchase enterprise subscription. Is-there any plans to fix it?

Pavel,

we are not allowed to discuss any plans in public, nor discuss anything not related to how to repeat and/or fix bugs in this bug database. Please contact your account manager or Sales representative who works with you to discuss this case.

Closing as "Not a bug".

It is assumed that the user is familiar with the security mechanisms provided by the operating system. 
For example, on Unix-like systems the umask controls the file permissions for the new files created by MySQL server and mysqlbackup program. 

Please set umask correctly.

It seems that this problem does not happen on Windows, at least as per "cacls" output.

I've tested this using the following commands:

- cacls *.* > d:\original.txt
- cacls *.* > d:\backup_dir.txt
- cacls *.* > d:\apply-log.txt
- cacls *.* > d:\copy-back.txt

and then comparing output files.

In my case, the content of the "original.txt" file is similar to the following:

db_12976288 BUILTIN\Administrators:F 
BUILTIN\Administrators:(OI)(CI)(IO)F 
NT AUTHORITY\SYSTEM:F 
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F 
NT AUTHORITY\Authenticated Users:C 
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)C 
BUILTIN\Users:R 
BUILTIN\Users:(OI)(CI)(IO)(special access:)

                          GENERIC_READ
                          GENERIC_EXECUTE

ibdata1 BUILTIN\Administrators:F 
    NT AUTHORITY\SYSTEM:F 
    NT AUTHORITY\Authenticated Users:C 
    BUILTIN\Users:R 

ib_logfile0 BUILTIN\Administrators:F 
NT AUTHORITY\SYSTEM:F 
NT AUTHORITY\Authenticated Users:C 
BUILTIN\Users:R 

ib_logfile1 BUILTIN\Administrators:F 
NT AUTHORITY\SYSTEM:F 
NT AUTHORITY\Authenticated Users:C 
BUILTIN\Users:R 

mysql BUILTIN\Administrators:F 
  BUILTIN\Administrators:(OI)(CI)(IO)F 
  NT AUTHORITY\SYSTEM:F 
  NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F 
  NT AUTHORITY\Authenticated Users:C 
  NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)C 
  BUILTIN\Users:R 
  BUILTIN\Users:(OI)(CI)(IO)(special access:)

                    GENERIC_READ
                    GENERIC_EXECUTE
 

performance_schema BUILTIN\Administrators:F 
       BUILTIN\Administrators:(OI)(CI)(IO)F 
       NT AUTHORITY\SYSTEM:F 
       NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F 
       NT AUTHORITY\Authenticated Users:C 
       NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)C 
       BUILTIN\Users:R 
       BUILTIN\Users:(OI)(CI)(IO)(special access:)

                                 GENERIC_READ
                                 GENERIC_EXECUTE

SLETO-IT.log BUILTIN\Administrators:F 
 NT AUTHORITY\SYSTEM:F 
 NT AUTHORITY\Authenticated Users:C 
 BUILTIN\Users:R 

SLETO-IT.pid BUILTIN\Administrators:F 
 NT AUTHORITY\SYSTEM:F 
 NT AUTHORITY\Authenticated Users:C 
 BUILTIN\Users:R 

sr3 BUILTIN\Administrators:F 
BUILTIN\Administrators:(OI)(CI)(IO)F 
NT AUTHORITY\SYSTEM:F 
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F 
NT AUTHORITY\Authenticated Users:C 
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)C 
BUILTIN\Users:R 
BUILTIN\Users:(OI)(CI)(IO)(special access:)

                  GENERIC_READ
                  GENERIC_EXECUTE

test BUILTIN\Administrators:F 
 BUILTIN\Administrators:(OI)(CI)(IO)F 
 NT AUTHORITY\SYSTEM:F 
 NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F 
 NT AUTHORITY\Authenticated Users:C 
 NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)C 
 BUILTIN\Users:R 
 BUILTIN\Users:(OI)(CI)(IO)(special access:)

                   GENERIC_READ
                   GENERIC_EXECUTE

The other 3 files have same content.

Documentation is being updated with the requirement to be aware of the permission/ownership considerations and possibly do some combination of umask/chown/chmod.

Table 3.1. Information Needed to Back Up a Database
A.1. Limitations of mysqlbackup Command

The capability to automate this operation via the mysqlbackup command is being submitted as a product requirement. (Which is not a guarantee that the requirement will be accepted.)