mirror of
https://github.com/MariaDB/server.git
synced 2025-01-15 19:42:28 +01:00
Workaround for https://github.com/systemd/systemd/issues/1221
Put all capabilities in one CapabilityBoundingSet line, otherwise buggy systemd sets CapabilityBoundingSet=0
This commit is contained in:
Sergei Golubchik
parent
c9aa495fb6
commit
c6dff51276
2 changed files with 16 additions and 24 deletions
|
|
@ -44,7 +44,14 @@ User=mysql
|
|||
Group=mysql
|
||||
|
||||
# CAP_IPC_LOCK To allow memlock to be used as non-root user
|
||||
CapabilityBoundingSet=CAP_IPC_LOCK
|
||||
# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
|
||||
# does nothing for non-root, not needed if /etc/shadow is u+r
|
||||
# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
|
||||
CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
|
||||
|
||||
# PrivateDevices=true implies NoNewPrivileges=true and
|
||||
# SUID auth_pam_tool suddenly doesn't do setuid anymore
|
||||
PrivateDevices=false
|
||||
|
||||
# Prevent writes to /usr, /boot, and /etc
|
||||
ProtectSystem=full
|
||||
|
|
@ -96,17 +103,6 @@ RestartSec=5s
|
|||
|
||||
UMask=007
|
||||
|
||||
##############################################################################
|
||||
## PAM plugin section
|
||||
#
|
||||
# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
|
||||
# does nothing for non-root, not needed if /etc/shadow is u+r
|
||||
# CAP_AUDIT_WRITE Needed on Debian for whatever reason
|
||||
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
|
||||
|
||||
# PrivateDevices=true implies NoNewPrivileges=true and SUID doesn't work at all
|
||||
PrivateDevices=false
|
||||
|
||||
##############################################################################
|
||||
## USERs can override
|
||||
##
|
||||
|
|
|
|||
|
|
@ -165,7 +165,14 @@ PrivateNetwork=false
|
|||
##
|
||||
|
||||
# CAP_IPC_LOCK To allow memlock to be used as non-root user
|
||||
CapabilityBoundingSet=CAP_IPC_LOCK
|
||||
# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
|
||||
# does nothing for non-root, not needed if /etc/shadow is u+r
|
||||
# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
|
||||
CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
|
||||
|
||||
# PrivateDevices=true implies NoNewPrivileges=true and
|
||||
# SUID auth_pam_tool suddenly doesn't do setuid anymore
|
||||
PrivateDevices=false
|
||||
|
||||
# Prevent writes to /usr, /boot, and /etc
|
||||
ProtectSystem=full
|
||||
|
|
@ -200,17 +207,6 @@ RestartSec=5s
|
|||
|
||||
UMask=007
|
||||
|
||||
##############################################################################
|
||||
## PAM plugin section
|
||||
#
|
||||
# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
|
||||
# does nothing for non-root, not needed if /etc/shadow is u+r
|
||||
# CAP_AUDIT_WRITE Needed on Debian for whatever reason
|
||||
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
|
||||
|
||||
# PrivateDevices=true implies NoNewPrivileges=true and SUID doesn't work at all
|
||||
PrivateDevices=false
|
||||
|
||||
##############################################################################
|
||||
## USERs can override
|
||||
##
|
||||
|
|
|
|||
Loading…
Reference in a new issue