Workaround for https://github.com/systemd/systemd/issues/1221

Put all capabilities in one CapabilityBoundingSet line, otherwise buggy systemd sets CapabilityBoundingSet=0

Workaround for https://github.com/systemd/systemd/issues/1221
Put all capabilities in one CapabilityBoundingSet line, otherwise buggy systemd sets CapabilityBoundingSet=0
c6dff512 · Sergei Golubchik · c9aa495f · c6dff512 · c6dff512
Commit c6dff512 authored Jul 05, 2019 by Sergei Golubchik
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 24 deletions

support-files/mariadb.service.in support-files/mariadb.service.in +8 -12

support-files/mariadb@.service.in support-files/mariadb@.service.in +8 -12

No files found.
--- a/support-files/mariadb.service.in
+++ b/support-files/mariadb.service.in
@@ -44,7 +44,14 @@ User=mysql
 Group=mysql

 # CAP_IPC_LOCK To allow memlock to be used as non-root user
-CapabilityBoundingSet=CAP_IPC_LOCK
+# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
+#   does nothing for non-root, not needed if /etc/shadow is u+r
+# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+
+# PrivateDevices=true implies NoNewPrivileges=true and
+# SUID auth_pam_tool suddenly doesn't do setuid anymore
+PrivateDevices=false

 # Prevent writes to /usr, /boot, and /etc
 ProtectSystem=full
@@ -96,17 +103,6 @@ RestartSec=5s

 UMask=007

-##############################################################################
-## PAM plugin section
-#
-# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
-#   does nothing for non-root, not needed if /etc/shadow is u+r
-# CAP_AUDIT_WRITE Needed on Debian for whatever reason
-CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
-
-# PrivateDevices=true implies NoNewPrivileges=true and SUID doesn't work at all
-PrivateDevices=false
-
 ##############################################################################
 ## USERs can override
 ##

--- a/support-files/mariadb@.service.in
+++ b/support-files/mariadb@.service.in
@@ -165,7 +165,14 @@ PrivateNetwork=false
 ##

 # CAP_IPC_LOCK To allow memlock to be used as non-root user
-CapabilityBoundingSet=CAP_IPC_LOCK
+# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
+#   does nothing for non-root, not needed if /etc/shadow is u+r
+# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+
+# PrivateDevices=true implies NoNewPrivileges=true and
+# SUID auth_pam_tool suddenly doesn't do setuid anymore
+PrivateDevices=false

 # Prevent writes to /usr, /boot, and /etc
 ProtectSystem=full
@@ -200,17 +207,6 @@ RestartSec=5s

 UMask=007

-##############################################################################
-## PAM plugin section
-#
-# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
-#   does nothing for non-root, not needed if /etc/shadow is u+r
-# CAP_AUDIT_WRITE Needed on Debian for whatever reason
-CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
-
-# PrivateDevices=true implies NoNewPrivileges=true and SUID doesn't work at all
-PrivateDevices=false
-
 ##############################################################################
 ## USERs can override
 ##