Turns Out That Snaps Are Not Secure In Ubuntu With X11

prisoninmate quotes a report from Softpedia: According to Matthew Garrett, a renowned CoreOS security developer, and Linux kernel contributor, Canonical's new snap package format is not secure at all when it is used under X.Org Server (X Window System), which, for now, it is still the default display server of the Ubuntu 16.04 LTS (Xenial Xerus) operating system. The fact of the matter is that X11's old design is well-known for being insecure, and Matthew Garrett took the time to demonstrate this by writing a simple snap package that can steal data from any other X11 software, in this case anything you type on the Mozilla Firefox web browser. As more developers will provide snaps for their apps, Canonical needs to do something about the security of snaps in Ubuntu when using X11 or switch to the Mir display server. In the meantime, the security of snaps remains unaffected for the Ubuntu Server operating system, which is usually used without a display server. Canonical has officially released Ubuntu 16.04 LTS, which is now available to download for those interested.

Re:slashdot's ubuntu coverage

What's even worse than the poor choice of submission selection is the censoring that has gone on in the Ubuntu stories. For example, I saw one comment reporting a possible problem with the systemd unit files for MySQL. As a potential Ubuntu and MySQL user, it's important for me to know about possible problems such as that one. Yet that comment was modded down. Even worse than that, somebody (or somebodies) went through and systematically modded down many of the replies to that comment, too!

This release of Ubuntu is an LTS release. Some of us could potentially be using it until 2021. If somebody is having problems with a critical part of this release, then it's important to get the word out. We shouldn't have abusive Slashdot moderators suppressing information that could potentially save people a lot of time. If there are problems with systemd and MySQL in Ubuntu, then we need to know about them.

Re:slashdot's ubuntu coverage

[F.Ultra]

Because System V init does not do process monitoring and service restart upon crash the MySQL people decided to write their own work around using shell scripts, this is why you can see a mysqld_safe process running as well as the regular mysqld on non systemd systems. mysqld_safe is a 1117 line bash script and /etc/init.d/mysql (the System V init script for MySQL) is a further 197 lines of bash:

root@sql:~# wc /usr/bin/mysqld_safe
1117 4059 31801 /usr/bin/mysqld_safe
root@sql:~# wc /etc/init.d/mysql
197 777 5742 /etc/init.d/mysql

Since this monitoring is done by a bash script it's not always 100% safe, I have on several occasions encountered situations where a "service mysql stop" returned with OK but that the mysqld_safe process refused to die, noticed that mysql where stopped and restarted it behind the scenes resulting in upgrades going to complete shit among other things.

Since all that shit is now instead handled properly by systemd due to i.e control groups the unit file for MySQL is extremely simply and straightforward:

# MySQL systemd service file

[Unit]
Description=MySQL Community Server
After=network.target

[Install]
WantedBy=multi-user.target

[Service]
User=mysql
Group=mysql
PermissionsStartOnly=true
ExecStartPre=/usr/share/mysql/mysql-systemd-start pre
ExecStart=/usr/sbin/mysqld
ExecStartPost=/usr/share/mysql/mysql-systemd-start post
TimeoutSec=600
Restart=on-failure
RuntimeDirectory=mysqld
RuntimeDirectoryMode=755

No more mysqld_safe siliness and also everything down to a 20 line unit file that is a hell of a lot easier to parse manually than the old init scripts.

So I do hope that people will now see that the AC:s that keep posting these lies are in fact just lying trolls, not a single one of them have ever read the MySQL unit file and not a single one of them have ever run MySQL on a distribution using systemd.