diff options
author | Sergei Golubchik <serg@mariadb.org> | 2019-07-05 17:11:54 +0200 |
---|---|---|
committer | Sergei Golubchik <serg@mariadb.org> | 2019-07-05 17:12:46 +0200 |
commit | c6dff51276b4c0a1c14df32c5d96ab65c846baa6 (patch) | |
tree | 0a2d4a1c1e01d567b61c05d4456cc431b9af57c1 /support-files | |
parent | c9aa495fb67ab4fd5c9790d4f61b7e988423619f (diff) | |
download | mariadb-git-c6dff51276b4c0a1c14df32c5d96ab65c846baa6.tar.gz |
Workaround for https://github.com/systemd/systemd/issues/1221
Put all capabilities in one CapabilityBoundingSet line,
otherwise buggy systemd sets CapabilityBoundingSet=0
Diffstat (limited to 'support-files')
-rw-r--r-- | support-files/mariadb.service.in | 20 | ||||
-rw-r--r-- | support-files/mariadb@.service.in | 20 |
2 files changed, 16 insertions, 24 deletions
diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in index c31e883000d..b6332ea5075 100644 --- a/support-files/mariadb.service.in +++ b/support-files/mariadb.service.in @@ -44,7 +44,14 @@ User=mysql Group=mysql # CAP_IPC_LOCK To allow memlock to be used as non-root user -CapabilityBoundingSet=CAP_IPC_LOCK +# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0 +# does nothing for non-root, not needed if /etc/shadow is u+r +# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason +CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE + +# PrivateDevices=true implies NoNewPrivileges=true and +# SUID auth_pam_tool suddenly doesn't do setuid anymore +PrivateDevices=false # Prevent writes to /usr, /boot, and /etc ProtectSystem=full @@ -97,17 +104,6 @@ RestartSec=5s UMask=007 ############################################################################## -## PAM plugin section -# -# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0 -# does nothing for non-root, not needed if /etc/shadow is u+r -# CAP_AUDIT_WRITE Needed on Debian for whatever reason -CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE - -# PrivateDevices=true implies NoNewPrivileges=true and SUID doesn't work at all -PrivateDevices=false - -############################################################################## ## USERs can override ## ## diff --git a/support-files/mariadb@.service.in b/support-files/mariadb@.service.in index fc87742e705..326d8e52b3c 100644 --- a/support-files/mariadb@.service.in +++ b/support-files/mariadb@.service.in @@ -165,7 +165,14 @@ PrivateNetwork=false ## # CAP_IPC_LOCK To allow memlock to be used as non-root user -CapabilityBoundingSet=CAP_IPC_LOCK +# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0 +# does nothing for non-root, not needed if /etc/shadow is u+r +# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason +CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE + +# PrivateDevices=true implies NoNewPrivileges=true and +# SUID auth_pam_tool suddenly doesn't do setuid anymore +PrivateDevices=false # Prevent writes to /usr, /boot, and /etc ProtectSystem=full @@ -201,17 +208,6 @@ RestartSec=5s UMask=007 ############################################################################## -## PAM plugin section -# -# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0 -# does nothing for non-root, not needed if /etc/shadow is u+r -# CAP_AUDIT_WRITE Needed on Debian for whatever reason -CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE - -# PrivateDevices=true implies NoNewPrivileges=true and SUID doesn't work at all -PrivateDevices=false - -############################################################################## ## USERs can override ## ## |