1

I am trying to execute a shell command from within mysql (from within a procedure or a trigger or the command line for mysql).

I have added lib_mysqludf_sys to the mysql plugins and created the functions that are available with the library. (the library) home page

The library has 5 functions.

  1. sys_set - to set $PATH - this works and stores the $PATH which i can later check.
  2. sys_get - to get the stored value of $PATH - this also works and returns the value that I have stored.
  3. sys_exec - to execute a command in the system and return the exit code.
  4. sys_eval - to execute a command in the system and return the standard output.
  5. lib_mysqludf_sys_info - return the current version of the library - this also works.

I need sys_exec and sys_eval to work correctly.

I think I have found the problem in my search but cannot solve it.

mysql is limited by apparmor and is not granted access to execute system commands by the default apparmor profile. I have tried the commands in the documentation to disable a single profile, disable the framework, putting all profiles except one into enforce mode and putting all profiles in complain mode. Nothing works. the command

sudo apparmor_status

always gives me the same output. 

20 profiles are loaded.
20 profiles are in enforce mode.
  /opt/extras.ubuntu.com/unity-lens-askubuntu/unity-askubuntu-daemon
  /sbin/dhclient
  /usr/bin/evince
  /usr/bin/evince-previewer
  /usr/bin/evince-previewer//launchpad_integration
  /usr/bin/evince-previewer//sanitized_helper
  /usr/bin/evince-thumbnailer
  /usr/bin/evince-thumbnailer//sanitized_helper
  /usr/bin/evince//launchpad_integration
  /usr/bin/evince//sanitized_helper
  /usr/lib/NetworkManager/nm-dhcp-client.action
  /usr/lib/connman/scripts/dhclient-script
  /usr/lib/cups/backend/cups-pdf
  /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
  /usr/lib/telepathy/mission-control-5
  /usr/lib/telepathy/telepathy-*
  /usr/sbin/cupsd
  /usr/sbin/mysqld
  /usr/sbin/tcpdump
  /usr/share/gdm/guest-session/Xsession
0 profiles are in complain mode. 
5 processes have profiles defined. 
5 processes are in enforce mode.    
  /sbin/dhclient (2537)     
  /usr/lib/telepathy/mission-control-5 (2709)  
  /usr/sbin/cupsd (12245)     
  /usr/sbin/cupsd (12250)     
  /usr/sbin/mysqld (12675)  
0 processes are in complain mode. 
0 processes are unconfined but have a profile defined.

Please tell me how I could disable apparmor or change the profile for mysql so that it has access to executing system commands.

The reason I am doing all this is so that I can execute a system command when somethings happen in the DB (via a DB trigger), if you have suggestion for some other ways in which this can be easily implemented then please mention those too.

Thanks.

Improve this question
0

1 Answer 1

Reset to default
2

managed to get this working. First put apparmor in complain mode for the necessary profiles then used apparmor's interactive tools (aa-genprof/aa-logprof) to configure the profile for mysqld

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.