mirror of
https://github.com/MariaDB/server.git
synced 2025-07-25 15:08:40 +00:00
MDEV-36591: RHEL8(+compat)/Ubuntu 20.04 cannot start systemd servce (EXIT_CAPABILTIES/218)
Combined AmbientCapabilities and CapabilityBoundingSet configuration within a service file we have found by testing aren't supported in the systemd v245 (Ubuntu 20.04) and v239 (RHEL8) for non-root users. This resulted in a service start error EXIT_CAPABILITIES, a systemd limitation of the version that we cannot work around consequences. The systemd version 247 these combined capabilities have been tested to work on Debian 11. No other supported major distros run systemd version 246, and if they did, the missing capability of CAP_IPC_LOCK won't be noticed as it was a convenience for --memlock users. As such we disable the AmbientCapabilites for CAP_IPC_LOCK rather that disabling the CapabilityBoundingSet, because doing the later will disable authentication for MariaDB users that have configured PAM with MariaDB. Should a user require CAP_IPC_LOCK they can append in their own systemd overlay file this configuration in the CapabilityBoundingSet and configure the capability file attributes on the mariadbd executable to have the IPC_LOCK capability. This isn't configured by default as the presence of a capability in the MariaDB Server is detected by openssl libraries as "insecure" which will then ignore any user configured TLS configuration file passed though by the OPENSSL_CONF environment variable.
This commit is contained in:
Daniel Black
committed by
Oleksandr Byelkin
Oleksandr Byelkin
parent
f5405ef511
commit
8925877dc8
@ -57,6 +57,15 @@ MACRO(CHECK_SYSTEMD)
|
||||
# ProtectSystem=full prevents it
|
||||
ReadWritePaths=-${MYSQL_DATADIR}\n")
|
||||
ENDIF()
|
||||
# systemd version 245 (Ubuntu 20.04) and less cannot
|
||||
# handle ambient capbilities on non-root processes
|
||||
# 247 (Debian 11) is a version afterwards that is known to work.
|
||||
IF(LIBSYSTEMD_VERSION VERSION_GREATER_EQUAL 247)
|
||||
SET(SYSTEMD_AMBIENT_CAPABILITIES
|
||||
"# CAP_IPC_LOCK To allow --memlock to be used as non-root user
|
||||
AmbientCapabilities=CAP_IPC_LOCK
|
||||
")
|
||||
ENDIF()
|
||||
|
||||
MESSAGE_ONCE(systemd "Systemd features enabled")
|
||||
ELSE()
|
||||
|
||||
@ -47,10 +47,7 @@ PrivateNetwork=false
|
||||
User=mysql
|
||||
Group=mysql
|
||||
|
||||
# CAP_IPC_LOCK To allow memlock to be used as non-root user
|
||||
# These are enabled by default
|
||||
AmbientCapabilities=CAP_IPC_LOCK
|
||||
|
||||
@SYSTEMD_AMBIENT_CAPABILITIES@
|
||||
# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
|
||||
# does nothing for non-root, not needed if /etc/shadow is u+r
|
||||
# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
|
||||
|
||||
@ -177,10 +177,7 @@ PrivateNetwork=false
|
||||
## Package maintainers
|
||||
##
|
||||
|
||||
# CAP_IPC_LOCK To allow memlock to be used as non-root user
|
||||
# These are enabled by default
|
||||
AmbientCapabilities=CAP_IPC_LOCK
|
||||
|
||||
@SYSTEMD_AMBIENT_CAPABILITIES@
|
||||
# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
|
||||
# does nothing for non-root, not needed if /etc/shadow is u+r
|
||||
# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
|
||||
|
||||
Reference in New Issue
Block a user