From c6dff51276b4c0a1c14df32c5d96ab65c846baa6 Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Fri, 5 Jul 2019 17:11:54 +0200 Subject: Workaround for https://github.com/systemd/systemd/issues/1221 Put all capabilities in one CapabilityBoundingSet line, otherwise buggy systemd sets CapabilityBoundingSet=0 --- support-files/mariadb.service.in | 20 ++++++++------------ support-files/mariadb@.service.in | 20 ++++++++------------ 2 files changed, 16 insertions(+), 24 deletions(-) (limited to 'support-files') diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in index c31e883000d..b6332ea5075 100644 --- a/support-files/mariadb.service.in +++ b/support-files/mariadb.service.in @@ -44,7 +44,14 @@ User=mysql Group=mysql # CAP_IPC_LOCK To allow memlock to be used as non-root user -CapabilityBoundingSet=CAP_IPC_LOCK +# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0 +# does nothing for non-root, not needed if /etc/shadow is u+r +# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason +CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE + +# PrivateDevices=true implies NoNewPrivileges=true and +# SUID auth_pam_tool suddenly doesn't do setuid anymore +PrivateDevices=false # Prevent writes to /usr, /boot, and /etc ProtectSystem=full @@ -96,17 +103,6 @@ RestartSec=5s UMask=007 -############################################################################## -## PAM plugin section -# -# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0 -# does nothing for non-root, not needed if /etc/shadow is u+r -# CAP_AUDIT_WRITE Needed on Debian for whatever reason -CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE - -# PrivateDevices=true implies NoNewPrivileges=true and SUID doesn't work at all -PrivateDevices=false - ############################################################################## ## USERs can override ## diff --git a/support-files/mariadb@.service.in b/support-files/mariadb@.service.in index fc87742e705..326d8e52b3c 100644 --- a/support-files/mariadb@.service.in +++ b/support-files/mariadb@.service.in @@ -165,7 +165,14 @@ PrivateNetwork=false ## # CAP_IPC_LOCK To allow memlock to be used as non-root user -CapabilityBoundingSet=CAP_IPC_LOCK +# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0 +# does nothing for non-root, not needed if /etc/shadow is u+r +# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason +CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE + +# PrivateDevices=true implies NoNewPrivileges=true and +# SUID auth_pam_tool suddenly doesn't do setuid anymore +PrivateDevices=false # Prevent writes to /usr, /boot, and /etc ProtectSystem=full @@ -200,17 +207,6 @@ RestartSec=5s UMask=007 -############################################################################## -## PAM plugin section -# -# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0 -# does nothing for non-root, not needed if /etc/shadow is u+r -# CAP_AUDIT_WRITE Needed on Debian for whatever reason -CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE - -# PrivateDevices=true implies NoNewPrivileges=true and SUID doesn't work at all -PrivateDevices=false - ############################################################################## ## USERs can override ## -- cgit v1.2.1