summaryrefslogtreecommitdiff
path: root/support-files
diff options
context:
space:
mode:
authorSergei Golubchik <serg@mariadb.org>2019-07-05 17:11:54 +0200
committerSergei Golubchik <serg@mariadb.org>2019-07-05 17:12:46 +0200
commitc6dff51276b4c0a1c14df32c5d96ab65c846baa6 (patch)
tree0a2d4a1c1e01d567b61c05d4456cc431b9af57c1 /support-files
parentc9aa495fb67ab4fd5c9790d4f61b7e988423619f (diff)
downloadmariadb-git-c6dff51276b4c0a1c14df32c5d96ab65c846baa6.tar.gz
Workaround for https://github.com/systemd/systemd/issues/1221
Put all capabilities in one CapabilityBoundingSet line, otherwise buggy systemd sets CapabilityBoundingSet=0
Diffstat (limited to 'support-files')
-rw-r--r--support-files/mariadb.service.in20
-rw-r--r--support-files/mariadb@.service.in20
2 files changed, 16 insertions, 24 deletions
diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in
index c31e883000d..b6332ea5075 100644
--- a/support-files/mariadb.service.in
+++ b/support-files/mariadb.service.in
@@ -44,7 +44,14 @@ User=mysql
Group=mysql
# CAP_IPC_LOCK To allow memlock to be used as non-root user
-CapabilityBoundingSet=CAP_IPC_LOCK
+# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
+# does nothing for non-root, not needed if /etc/shadow is u+r
+# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+
+# PrivateDevices=true implies NoNewPrivileges=true and
+# SUID auth_pam_tool suddenly doesn't do setuid anymore
+PrivateDevices=false
# Prevent writes to /usr, /boot, and /etc
ProtectSystem=full
@@ -97,17 +104,6 @@ RestartSec=5s
UMask=007
##############################################################################
-## PAM plugin section
-#
-# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
-# does nothing for non-root, not needed if /etc/shadow is u+r
-# CAP_AUDIT_WRITE Needed on Debian for whatever reason
-CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
-
-# PrivateDevices=true implies NoNewPrivileges=true and SUID doesn't work at all
-PrivateDevices=false
-
-##############################################################################
## USERs can override
##
##
diff --git a/support-files/mariadb@.service.in b/support-files/mariadb@.service.in
index fc87742e705..326d8e52b3c 100644
--- a/support-files/mariadb@.service.in
+++ b/support-files/mariadb@.service.in
@@ -165,7 +165,14 @@ PrivateNetwork=false
##
# CAP_IPC_LOCK To allow memlock to be used as non-root user
-CapabilityBoundingSet=CAP_IPC_LOCK
+# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
+# does nothing for non-root, not needed if /etc/shadow is u+r
+# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+
+# PrivateDevices=true implies NoNewPrivileges=true and
+# SUID auth_pam_tool suddenly doesn't do setuid anymore
+PrivateDevices=false
# Prevent writes to /usr, /boot, and /etc
ProtectSystem=full
@@ -201,17 +208,6 @@ RestartSec=5s
UMask=007
##############################################################################
-## PAM plugin section
-#
-# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
-# does nothing for non-root, not needed if /etc/shadow is u+r
-# CAP_AUDIT_WRITE Needed on Debian for whatever reason
-CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
-
-# PrivateDevices=true implies NoNewPrivileges=true and SUID doesn't work at all
-PrivateDevices=false
-
-##############################################################################
## USERs can override
##
##