File tree Expand file tree Collapse file tree 2 files changed +16
-24
lines changed Expand file tree Collapse file tree 2 files changed +16
-24
lines changed Original file line number Diff line number Diff line change @@ -44,7 +44,14 @@ User=mysql
44
44
Group=mysql
45
45
46
46
# CAP_IPC_LOCK To allow memlock to be used as non-root user
47
- CapabilityBoundingSet=CAP_IPC_LOCK
47
+ # CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
48
+ # does nothing for non-root, not needed if /etc/shadow is u+r
49
+ # CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
50
+ CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
51
+
52
+ # PrivateDevices=true implies NoNewPrivileges=true and
53
+ # SUID auth_pam_tool suddenly doesn't do setuid anymore
54
+ PrivateDevices=false
48
55
49
56
# Prevent writes to /usr, /boot, and /etc
50
57
ProtectSystem=full
@@ -96,17 +103,6 @@ RestartSec=5s
96
103
97
104
UMask=007
98
105
99
- ##############################################################################
100
- ## PAM plugin section
101
- #
102
- # CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
103
- # does nothing for non-root, not needed if /etc/shadow is u+r
104
- # CAP_AUDIT_WRITE Needed on Debian for whatever reason
105
- CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
106
-
107
- # PrivateDevices=true implies NoNewPrivileges=true and SUID doesn't work at all
108
- PrivateDevices=false
109
-
110
106
##############################################################################
111
107
## USERs can override
112
108
##
Original file line number Diff line number Diff line change @@ -165,7 +165,14 @@ PrivateNetwork=false
165
165
##
166
166
167
167
# CAP_IPC_LOCK To allow memlock to be used as non-root user
168
- CapabilityBoundingSet=CAP_IPC_LOCK
168
+ # CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
169
+ # does nothing for non-root, not needed if /etc/shadow is u+r
170
+ # CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
171
+ CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
172
+
173
+ # PrivateDevices=true implies NoNewPrivileges=true and
174
+ # SUID auth_pam_tool suddenly doesn't do setuid anymore
175
+ PrivateDevices=false
169
176
170
177
# Prevent writes to /usr, /boot, and /etc
171
178
ProtectSystem=full
@@ -200,17 +207,6 @@ RestartSec=5s
200
207
201
208
UMask=007
202
209
203
- ##############################################################################
204
- ## PAM plugin section
205
- #
206
- # CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
207
- # does nothing for non-root, not needed if /etc/shadow is u+r
208
- # CAP_AUDIT_WRITE Needed on Debian for whatever reason
209
- CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
210
-
211
- # PrivateDevices=true implies NoNewPrivileges=true and SUID doesn't work at all
212
- PrivateDevices=false
213
-
214
210
##############################################################################
215
211
## USERs can override
216
212
##
You can’t perform that action at this time.
0 commit comments