Workaround for systemd/systemd#1221

Put all capabilities in one CapabilityBoundingSet line, otherwise buggy systemd sets CapabilityBoundingSet=0
MariaDB · Jul 5, 2019 · c6dff51276b4c0a1c14df32c5d96ab65c846baa6 · c6dff51
1 parent c9aa495
commit c6dff51276b4c0a1c14df32c5d96ab65c846baa6
Unified Split

Showing with 16 additions and 24 deletions.

+8 −12 support-files/mariadb.service.in

+8 −12 support-files/mariadb@.service.in
diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in
@@ -44,7 +44,14 @@ User=mysql
 Group=mysql
 # CAP_IPC_LOCK To allow memlock to be used as non-root user
-  
-CapabilityBoundingSet=CAP_IPC_LOCK
+  
+# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
+  
+#   does nothing for non-root, not needed if /etc/shadow is u+r
+  
+# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
+  
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+  
+
+  
+# PrivateDevices=true implies NoNewPrivileges=true and
+  
+# SUID auth_pam_tool suddenly doesn't do setuid anymore
+  
+PrivateDevices=false
 # Prevent writes to /usr, /boot, and /etc
 ProtectSystem=full
@@ -96,17 +103,6 @@ RestartSec=5s
 UMask=007
-  
-##############################################################################
-  
-## PAM plugin section
-  
-#
-  
-# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
-  
-#   does nothing for non-root, not needed if /etc/shadow is u+r
-  
-# CAP_AUDIT_WRITE Needed on Debian for whatever reason
-  
-CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
-  
-
-  
-# PrivateDevices=true implies NoNewPrivileges=true and SUID doesn't work at all
-  
-PrivateDevices=false
-  
-
 ##############################################################################
 ## USERs can override
 ##

diff --git a/support-files/mariadb@.service.in b/support-files/mariadb@.service.in
@@ -165,7 +165,14 @@ PrivateNetwork=false
 ##
 # CAP_IPC_LOCK To allow memlock to be used as non-root user
-  
-CapabilityBoundingSet=CAP_IPC_LOCK
+  
+# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
+  
+#   does nothing for non-root, not needed if /etc/shadow is u+r
+  
+# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
+  
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+  
+
+  
+# PrivateDevices=true implies NoNewPrivileges=true and
+  
+# SUID auth_pam_tool suddenly doesn't do setuid anymore
+  
+PrivateDevices=false
 # Prevent writes to /usr, /boot, and /etc
 ProtectSystem=full
@@ -200,17 +207,6 @@ RestartSec=5s
 UMask=007
-  
-##############################################################################
-  
-## PAM plugin section
-  
-#
-  
-# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
-  
-#   does nothing for non-root, not needed if /etc/shadow is u+r
-  
-# CAP_AUDIT_WRITE Needed on Debian for whatever reason
-  
-CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
-  
-
-  
-# PrivateDevices=true implies NoNewPrivileges=true and SUID doesn't work at all
-  
-PrivateDevices=false
-  
-
 ##############################################################################
 ## USERs can override
 ##