Skip to content

Commit c6dff51

Browse files
committed
Workaround for systemd/systemd#1221
Put all capabilities in one CapabilityBoundingSet line, otherwise buggy systemd sets CapabilityBoundingSet=0
1 parent c9aa495 commit c6dff51

File tree

2 files changed

+16
-24
lines changed

2 files changed

+16
-24
lines changed

support-files/mariadb.service.in

Lines changed: 8 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,14 @@ User=mysql
4444
Group=mysql
4545

4646
# CAP_IPC_LOCK To allow memlock to be used as non-root user
47-
CapabilityBoundingSet=CAP_IPC_LOCK
47+
# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
48+
# does nothing for non-root, not needed if /etc/shadow is u+r
49+
# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
50+
CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
51+
52+
# PrivateDevices=true implies NoNewPrivileges=true and
53+
# SUID auth_pam_tool suddenly doesn't do setuid anymore
54+
PrivateDevices=false
4855

4956
# Prevent writes to /usr, /boot, and /etc
5057
ProtectSystem=full
@@ -96,17 +103,6 @@ RestartSec=5s
96103

97104
UMask=007
98105

99-
##############################################################################
100-
## PAM plugin section
101-
#
102-
# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
103-
# does nothing for non-root, not needed if /etc/shadow is u+r
104-
# CAP_AUDIT_WRITE Needed on Debian for whatever reason
105-
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
106-
107-
# PrivateDevices=true implies NoNewPrivileges=true and SUID doesn't work at all
108-
PrivateDevices=false
109-
110106
##############################################################################
111107
## USERs can override
112108
##

support-files/mariadb@.service.in

Lines changed: 8 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -165,7 +165,14 @@ PrivateNetwork=false
165165
##
166166

167167
# CAP_IPC_LOCK To allow memlock to be used as non-root user
168-
CapabilityBoundingSet=CAP_IPC_LOCK
168+
# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
169+
# does nothing for non-root, not needed if /etc/shadow is u+r
170+
# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
171+
CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
172+
173+
# PrivateDevices=true implies NoNewPrivileges=true and
174+
# SUID auth_pam_tool suddenly doesn't do setuid anymore
175+
PrivateDevices=false
169176

170177
# Prevent writes to /usr, /boot, and /etc
171178
ProtectSystem=full
@@ -200,17 +207,6 @@ RestartSec=5s
200207

201208
UMask=007
202209

203-
##############################################################################
204-
## PAM plugin section
205-
#
206-
# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
207-
# does nothing for non-root, not needed if /etc/shadow is u+r
208-
# CAP_AUDIT_WRITE Needed on Debian for whatever reason
209-
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
210-
211-
# PrivateDevices=true implies NoNewPrivileges=true and SUID doesn't work at all
212-
PrivateDevices=false
213-
214210
##############################################################################
215211
## USERs can override
216212
##

0 commit comments

Comments
 (0)