mirror of
https://github.com/MariaDB/server.git
synced 2025-08-16 18:19:41 +00:00
c461188ca6
Hopefully, this ends the long story of CapabilityBoundingSet in mariadb.service. Started from MDEV-9095 (27e6fd9a59) which was supposed to let --memlock work without root, but instead of adding the necessary capability (CAP_IPC_LOCK) by putting it into AmbientCapabilities it removed all other capabilities, by putting CAP_IPC_LOCK into CapabilityBoundingSet (which is the mask of allowed capabilities). This broke pam plugin, which needed CAP_DAC_OVERRIDE, it was fixed in MDEV-19878 (dd93028dae) by appending CAP_DAC_OVERRIDE to CapabilityBoundingSet. Obviously, memlock still didn't work, this was fixed in MDEV-33301 (76a27155b4) by moving CAP_IPC_LOCK to AmbientCapabilities. Unfortunately, it moved too much (everything), so MDEV-36229 (85ecb80fa3) fixed it moving CAP_DAC_OVERRIDE back to CapabilityBoundingSet. This caused MDEV-36591 (8925877dc8) triggering a bug in old systemd versions. And it broke pam plugin on CentOS Stream 10, where CAP_DAC_OVERRIDE alone was apparently not enough. Let's finally fix this by removing CapabilityBoundingSet completely and keeping CAP_IPC_LOCK in AmbientCapabilities, which should've been the correct fix for MDEV-9095 from the start.