Workaround for https://github.com/systemd/systemd/issues/1221

Put all capabilities in one CapabilityBoundingSet line,
otherwise buggy systemd sets CapabilityBoundingSet=0

2 files changed, 16 insertions, 24 deletions

diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in
index c31e883000d..b6332ea5075 100644
--- a/support-files/mariadb.service.in
+++ b/support-files/mariadb.service.in
@@ -44,7 +44,14 @@ User=mysql
 Group=mysql
 
 # CAP_IPC_LOCK To allow memlock to be used as non-root user
-CapabilityBoundingSet=CAP_IPC_LOCK
+# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
+#   does nothing for non-root, not needed if /etc/shadow is u+r
+# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+
+# PrivateDevices=true implies NoNewPrivileges=true and
+# SUID auth_pam_tool suddenly doesn't do setuid anymore
+PrivateDevices=false
 
 # Prevent writes to /usr, /boot, and /etc
 ProtectSystem=full
@@ -97,17 +104,6 @@ RestartSec=5s
 UMask=007
 
 ##############################################################################
-## PAM plugin section
-#
-# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
-#   does nothing for non-root, not needed if /etc/shadow is u+r
-# CAP_AUDIT_WRITE Needed on Debian for whatever reason
-CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
-
-# PrivateDevices=true implies NoNewPrivileges=true and SUID doesn't work at all
-PrivateDevices=false
-
-##############################################################################
 ## USERs can override
 ##
 ##
diff --git a/support-files/mariadb@.service.in b/support-files/mariadb@.service.in
index fc87742e705..326d8e52b3c 100644
--- a/support-files/mariadb@.service.in
+++ b/support-files/mariadb@.service.in
@@ -165,7 +165,14 @@ PrivateNetwork=false
 ##
 
 # CAP_IPC_LOCK To allow memlock to be used as non-root user
-CapabilityBoundingSet=CAP_IPC_LOCK
+# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
+#   does nothing for non-root, not needed if /etc/shadow is u+r
+# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+
+# PrivateDevices=true implies NoNewPrivileges=true and
+# SUID auth_pam_tool suddenly doesn't do setuid anymore
+PrivateDevices=false
 
 # Prevent writes to /usr, /boot, and /etc
 ProtectSystem=full
@@ -201,17 +208,6 @@ RestartSec=5s
 UMask=007
 
 ##############################################################################
-## PAM plugin section
-#
-# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
-#   does nothing for non-root, not needed if /etc/shadow is u+r
-# CAP_AUDIT_WRITE Needed on Debian for whatever reason
-CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
-
-# PrivateDevices=true implies NoNewPrivileges=true and SUID doesn't work at all
-PrivateDevices=false
-
-##############################################################################
 ## USERs can override
 ##
 ##