File tree Expand file tree Collapse file tree 2 files changed +16
-24
lines changed Expand file tree Collapse file tree 2 files changed +16
-24
lines changed Original file line number Diff line number Diff line change @@ -44,7 +44,14 @@ User=mysql
4444Group=mysql
4545
4646# CAP_IPC_LOCK To allow memlock to be used as non-root user
47- CapabilityBoundingSet=CAP_IPC_LOCK
47+ # CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
48+ # does nothing for non-root, not needed if /etc/shadow is u+r
49+ # CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
50+ CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
51+
52+ # PrivateDevices=true implies NoNewPrivileges=true and
53+ # SUID auth_pam_tool suddenly doesn't do setuid anymore
54+ PrivateDevices=false
4855
4956# Prevent writes to /usr, /boot, and /etc
5057ProtectSystem=full
@@ -96,17 +103,6 @@ RestartSec=5s
96103
97104UMask=007
98105
99- ##############################################################################
100- ## PAM plugin section
101- #
102- # CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
103- # does nothing for non-root, not needed if /etc/shadow is u+r
104- # CAP_AUDIT_WRITE Needed on Debian for whatever reason
105- CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
106-
107- # PrivateDevices=true implies NoNewPrivileges=true and SUID doesn't work at all
108- PrivateDevices=false
109-
110106##############################################################################
111107## USERs can override
112108##
Original file line number Diff line number Diff line change @@ -165,7 +165,14 @@ PrivateNetwork=false
165165##
166166
167167# CAP_IPC_LOCK To allow memlock to be used as non-root user
168- CapabilityBoundingSet=CAP_IPC_LOCK
168+ # CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
169+ # does nothing for non-root, not needed if /etc/shadow is u+r
170+ # CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
171+ CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
172+
173+ # PrivateDevices=true implies NoNewPrivileges=true and
174+ # SUID auth_pam_tool suddenly doesn't do setuid anymore
175+ PrivateDevices=false
169176
170177# Prevent writes to /usr, /boot, and /etc
171178ProtectSystem=full
@@ -200,17 +207,6 @@ RestartSec=5s
200207
201208UMask=007
202209
203- ##############################################################################
204- ## PAM plugin section
205- #
206- # CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
207- # does nothing for non-root, not needed if /etc/shadow is u+r
208- # CAP_AUDIT_WRITE Needed on Debian for whatever reason
209- CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
210-
211- # PrivateDevices=true implies NoNewPrivileges=true and SUID doesn't work at all
212- PrivateDevices=false
213-
214210##############################################################################
215211## USERs can override
216212##
You can’t perform that action at this time.
0 commit comments