summaryrefslogtreecommitdiff
path: root/support-files/mariadb.service.in
diff options
context:
space:
mode:
Diffstat (limited to 'support-files/mariadb.service.in')
-rw-r--r--support-files/mariadb.service.in13
1 files changed, 9 insertions, 4 deletions
diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in
index c323124dd33..3dc6f0fbc71 100644
--- a/support-files/mariadb.service.in
+++ b/support-files/mariadb.service.in
@@ -49,8 +49,15 @@ PrivateNetwork=false
User=mysql
Group=mysql
-# To allow memlock to be used as non-root user if set in configuration
-CapabilityBoundingSet=CAP_IPC_LOCK
+# CAP_IPC_LOCK To allow memlock to be used as non-root user
+# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
+# does nothing for non-root, not needed if /etc/shadow is u+r
+# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+
+# PrivateDevices=true implies NoNewPrivileges=true and
+# SUID auth_pam_tool suddenly doesn't do setuid anymore
+PrivateDevices=false
# Prevent writes to /usr, /boot, and /etc
ProtectSystem=full
@@ -58,8 +65,6 @@ ProtectSystem=full
# Doesn't yet work properly with SELinux enabled
# NoNewPrivileges=true
-PrivateDevices=true
-
# Prevent accessing /home, /root and /run/user
ProtectHome=true
View Lorry Controller Status