Permission denied writing to mysql log

ubuntu files permissions mysql apparmor

33,792

It seems to me that most people create a directory named mysql inside of /var/log, change the owner of this folder to the mysql user.

sudo mkdir /var/log/mysql
sudo chown mysql:mysql /var/log/mysql

That should do it. Be sure to update the server's logging location and restart it. After you've tested re-enable mysql's apparmor profile.

33,792

Ian

By Day, I work for a company involving technologies like Programming, Linux, Perl, Sysadmin stuff, javascript. By Night I program for fun, often including things like SVG, Snap.svg, Javascript, Linux. When not doing tech stuff I enjoy dancing.

Updated on September 18, 2022

Comments

Ian over 1 year

I am just testing out a new Ubuntu (Vivid 15.04) install on Vagrant, and getting problems with mysql and logging to a custom location.

In /var/log/syslog I get

/usr/bin/mysqld_safe: cannot create /var/log/mysqld.log: Permission denied

If I ls -l /var I get

drwxrwxr-x 10 root syslog 4096 Jun  8 19:52 log

If I look in /var/log the file doesn't exist

I thought I had temporarily disabled apparmor just to isolate if it was that or something else causing the problem, but not sure if its still creating an issue (edit: think it may still be enabled, so not sure if this is an issue or simple permissions).

If I try manually creating the file as mysql I get denied as well (I temp allowed it bash access to test, I will remove after).

touch /var/log/mysql.log
touch: cannot touch ‘/var/log/mysql.log’: Permission denied

If I look at another running server (centos) it has permissions as above (and writes as mysql user), so I'm wondering how does mysql normally get permissions to access the /var/log directory, and how can I get it to access that folder via normal running ?

Here is my apparmor profile for mysql


/usr/sbin/mysqld {
  #include 
  #include 
  #include 
  #include 
  #include 

  capability dac_override,
  capability sys_resource,
  capability setgid,
  capability setuid,

  network tcp,

  /etc/hosts.allow r,
  /etc/hosts.deny r,

  /etc/mysql/** r,
  /usr/lib/mysql/plugin/ r,
  /usr/lib/mysql/plugin/*.so* mr,
  /usr/sbin/mysqld mr,
  /usr/share/mysql/** r,
  /var/log/mysqld.log rw,
  /var/log/mysqld.err rw,
  /var/lib/mysql/ r,
  /var/lib/mysql/** rwk,
  /var/log/mysql/ r,
  /var/log/mysql/* rw,
  /var/run/mysqld/mysqld.pid rw,
  /var/run/mysqld/mysqld.sock w,
  /run/mysqld/mysqld.pid rw,
  /run/mysqld/mysqld.sock w,

  /sys/devices/system/cpu/ r,

/var/log/mysqld.log rw,

  # Site-specific additions and overrides. See local/README for details.
  #include 
}

I also added the above file to the apparmor.d/disable directoru

Note: I added this line /var/log/mysqld.log rw, it wasn't originally there, and has same issue (after doing an apparmor reload).


apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
   /sbin/dhclient
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/tcpdump
0 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode.
   /sbin/dhclient (565) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.


Jun  8 20:33:33 vagrant-ubuntu-vivid-64 systemd[1]: Starting MySQL Community Server...
Jun  8 20:33:33 vagrant-ubuntu-vivid-64 mysqld_safe[11231]: 150608 20:33:33 mysqld_safe Logging to '/var/log/mysqld.log'.
Jun  8 20:33:33 vagrant-ubuntu-vivid-64 mysqld_safe[11231]: touch: cannot touch ‘/var/log/mysqld.log’: Permission denied
Jun  8 20:33:33 vagrant-ubuntu-vivid-64 mysqld_safe[11231]: chmod: cannot access ‘/var/log/mysqld.log’: No such file or directory
Jun  8 20:33:33 vagrant-ubuntu-vivid-64 mysqld_safe[11231]: 150608 20:33:33 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql
Jun  8 20:33:33 vagrant-ubuntu-vivid-64 mysqld_safe[11231]: /usr/bin/mysqld_safe: 126: /usr/bin/mysqld_safe: cannot create /var/log/mysqld.log: Permission denied