MDEV-5479 Prevent stealing Unix socket of running instance

When two MariaDB server instances are configured with the same
Unix socket path but different TCP ports, the second instance
unconditionally unlink()s the first instance's active socket
file in network_init(). This silently breaks the first
instance's ability to accept local connections.

Root cause: the call (void) unlink(mysqld_unix_port) in
network_init() removes an existing socket file without
checking whether another server is actively listening on it.
Notably, the bind() error handler immediately following the
unlink already warns about another running server -- but this
message could never trigger because the unconditional
unlink() removed the socket before bind() had a chance to
fail.

Fix: before unlinking an existing socket file, attempt to
connect() to it:
- If connect() succeeds, another server is actively using
  the socket. Abort startup with an error message.
- If connect() fails with EACCES, the socket is active but
  owned by another user. Abort -- we must not unlink a
  socket we cannot even verify.
- If connect() fails with ECONNREFUSED or similar, the
  socket is stale from a previous unclean shutdown. Proceed
  with unlink() as before.
- If the file exists but is not a socket (S_ISSOCK check),
  remove it to preserve previous behavior.

connect() was chosen over flock()-based advisory locking
because flock() requires managing a separate lock file
alongside the socket (creation, cleanup, and handling of
orphaned lock files), and does not work reliably on network
filesystems. connect() probes the socket directly with no
extra files and no NFS dependency. This is the same approach
PostgreSQL uses for socket conflict prevention.

A recv()-with-timeout variant was also considered but
rejected: it adds a multi-second startup delay when a hung
server is detected, and misclassifies a hung server as
stale (proceeds to steal the socket instead of aborting).

Co-Authored-By: Claude AI <noreply@anthropic.com>

Author: FaramosCZ

mysql-test/main/socket_conflict.result

@@ -0,0 +1,19 @@
+#
+# MDEV-5479: Prevent mysqld from stealing Unix socket file
+#            of another active instance
+#
+#
+# Test 1: Server must refuse to start when a listener is
+#         already present on the socket path
+#
+FOUND 1 /\[ERROR\] Another server process is already using the socket file/ in socket_conflict.err
+#
+# Test 2: Stale socket file must be cleaned up at startup
+#
+# restart
+SELECT 1;
+1
+1
+#
+# End of 13.0 tests
+#

mysql-test/main/socket_conflict.test

@@ -0,0 +1,119 @@
+--source include/not_windows.inc
+--source include/not_embedded.inc
+
+--echo #
+--echo # MDEV-5479: Prevent mysqld from stealing Unix socket file
+--echo #            of another active instance
+--echo #
+
+# Shut down the server once; both tests run while it is down.
+--source include/shutdown_mysqld.inc
+
+--echo #
+--echo # Test 1: Server must refuse to start when a listener is
+--echo #         already present on the socket path
+--echo #
+
+# Create a fake listener on the default socket path.
+# The child process creates and holds the listening socket;
+# the parent must not touch the socket object at all, because
+# Perl's IO::Socket->close() calls shutdown(SHUT_RDWR) which
+# would kill the listener in the child too.
+perl;
+  use IO::Socket::UNIX;
+  my $path= $ENV{MASTER_MYSOCK};
+  unlink $path if -e $path;
+  my $pid= fork();
+  die "fork: $!" unless defined $pid;
+  if ($pid == 0)
+  {
+    # Detach from parent's process group and close inherited
+    # pipe fds. mysqltest uses popen() for perl blocks and
+    # reads stdout to completion -- the child must close its
+    # copy of the pipe so mysqltest can proceed.
+    setpgrp(0, 0);
+    open(STDIN, '<', '/dev/null');
+    open(STDOUT, '>', '/dev/null');
+    open(STDERR, '>', '/dev/null');
+    my $srv= IO::Socket::UNIX->new(
+      Type   => SOCK_STREAM,
+      Local  => $path,
+      Listen => 1,
+    ) or exit 1;
+    sleep 120;
+    exit 0;
+  }
+  # Parent: wait for child to create the socket (up to 5s)
+  for (1..50)
+  {
+    last if -S $path;
+    select(undef, undef, undef, 0.1);
+  }
+  die "Fake listener not created at $path\n" unless -S $path;
+  my $pidfile= "$ENV{MYSQLTEST_VARDIR}/tmp/fake_server.pid";
+  open(my $fh, '>', $pidfile) or die "Cannot write $pidfile: $!\n";
+  print $fh $pid;
+  close $fh;
+EOF
+
+--let errorlog=$MYSQL_TMP_DIR/socket_conflict.err
+--let SEARCH_FILE=$errorlog
+
+# Use --innodb=OFF to skip InnoDB initialization, which runs
+# before network_init() and would otherwise take minutes on CI.
+--error 1
+--exec $MYSQLD --defaults-group-suffix=.1 --defaults-file=$MYSQLTEST_VARDIR/my.cnf --innodb=OFF --log-error=$errorlog
+
+--let SEARCH_PATTERN=\[ERROR\] Another server process is already using the socket file
+--source include/search_pattern_in_file.inc
+
+--remove_file $SEARCH_FILE
+
+# Kill the fake listener and clean up its socket file
+perl;
+  my $pidfile= "$ENV{MYSQLTEST_VARDIR}/tmp/fake_server.pid";
+  open(my $fh, '<', $pidfile) or die "Cannot read $pidfile: $!\n";
+  my $pid= <$fh>;
+  chomp $pid;
+  close $fh;
+  kill 'TERM', $pid;
+  # The child runs in its own process group (setpgrp) and was
+  # reparented to init, so waitpid won't work here. Poll until
+  # the process is gone.
+  for (1..50)
+  {
+    last unless kill(0, $pid);
+    select(undef, undef, undef, 0.1);
+  }
+  unlink $pidfile;
+  unlink $ENV{MASTER_MYSOCK};
+EOF
+
+--echo #
+--echo # Test 2: Stale socket file must be cleaned up at startup
+--echo #
+
+# Create a stale Unix socket at the default socket path.
+# The socket is bound then immediately closed, leaving an
+# orphaned file with no listener behind it.
+perl;
+  use IO::Socket::UNIX;
+  my $path= $ENV{MASTER_MYSOCK};
+  my $srv= IO::Socket::UNIX->new(
+    Type   => SOCK_STREAM,
+    Local  => $path,
+    Listen => 1,
+  ) or die "Cannot create socket at $path: $!\n";
+  $srv->close();
+EOF
+
+# Start the server normally -- it should detect the stale
+# socket, remove it, and bind successfully.
+--source include/start_mysqld.inc
+
+# Verify the server is operational
+SELECT 1;
+
+--echo #
+--echo # End of 13.0 tests
+--echo #

sql/mysqld.cc

@@ -2779,7 +2779,44 @@ static void network_init(void)
     else
 #endif
     {
-      (void) unlink(mysqld_unix_port);
+      struct stat statbuf;
+      if (stat(mysqld_unix_port, &statbuf) == 0)
+      {
+        /* Socket file exists - check if another server is using it */
+        if (S_ISSOCK(statbuf.st_mode))
+        {
+          int test_fd= socket(AF_UNIX, SOCK_STREAM, 0);
+          if (test_fd >= 0)
+          {
+            struct sockaddr_un test_addr;
+            bzero((char*) &test_addr, sizeof(test_addr));
+            test_addr.sun_family= AF_UNIX;
+            strmov(test_addr.sun_path, mysqld_unix_port);
+            if (connect(test_fd, (struct sockaddr *) &test_addr,
+                        sizeof(test_addr)) == 0)
+            {
+              /* Socket is active - another server is listening */
+              close(test_fd);
+              sql_print_error("Another server process is already "
+                              "using the socket file '%s'. "
+                              "Aborting.", mysqld_unix_port);
+              unireg_abort(1);
+            }
+            if (socket_errno == EACCES)
+            {
+              close(test_fd);
+              sql_print_error("Socket file '%s' exists and is "
+                              "owned by another user. Cannot "
+                              "verify or replace it. Aborting.",
+                              mysqld_unix_port);
+              unireg_abort(1);
+            }
+            close(test_fd);
+          }
+        }
+        /* Socket file is stale or not a socket - safe to remove */
+        (void) unlink(mysqld_unix_port);
+      }
       port_len= sizeof(UNIXaddr);
     }
     arg= 1;