Skip to content
Permalink
Browse files

Workaround for systemd/systemd#1221

Put all capabilities in one CapabilityBoundingSet line,
otherwise buggy systemd sets CapabilityBoundingSet=0
  • Loading branch information...
vuvova committed Jul 5, 2019
1 parent c9aa495 commit c6dff51276b4c0a1c14df32c5d96ab65c846baa6
Showing with 16 additions and 24 deletions.
  1. +8 −12 support-files/mariadb.service.in
  2. +8 −12 support-files/mariadb@.service.in
@@ -44,7 +44,14 @@ User=mysql
Group=mysql

# CAP_IPC_LOCK To allow memlock to be used as non-root user
CapabilityBoundingSet=CAP_IPC_LOCK
# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
# does nothing for non-root, not needed if /etc/shadow is u+r
# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE

# PrivateDevices=true implies NoNewPrivileges=true and
# SUID auth_pam_tool suddenly doesn't do setuid anymore
PrivateDevices=false

# Prevent writes to /usr, /boot, and /etc
ProtectSystem=full
@@ -96,17 +103,6 @@ RestartSec=5s

UMask=007

##############################################################################
## PAM plugin section
#
# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
# does nothing for non-root, not needed if /etc/shadow is u+r
# CAP_AUDIT_WRITE Needed on Debian for whatever reason
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE

# PrivateDevices=true implies NoNewPrivileges=true and SUID doesn't work at all
PrivateDevices=false

##############################################################################
## USERs can override
##
@@ -165,7 +165,14 @@ PrivateNetwork=false
##

# CAP_IPC_LOCK To allow memlock to be used as non-root user
CapabilityBoundingSet=CAP_IPC_LOCK
# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
# does nothing for non-root, not needed if /etc/shadow is u+r
# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE

# PrivateDevices=true implies NoNewPrivileges=true and
# SUID auth_pam_tool suddenly doesn't do setuid anymore
PrivateDevices=false

# Prevent writes to /usr, /boot, and /etc
ProtectSystem=full
@@ -200,17 +207,6 @@ RestartSec=5s

UMask=007

##############################################################################
## PAM plugin section
#
# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
# does nothing for non-root, not needed if /etc/shadow is u+r
# CAP_AUDIT_WRITE Needed on Debian for whatever reason
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE

# PrivateDevices=true implies NoNewPrivileges=true and SUID doesn't work at all
PrivateDevices=false

##############################################################################
## USERs can override
##

0 comments on commit c6dff51

Please sign in to comment.
You can’t perform that action at this time.