Details
-
Task
-
Status: Closed (View Workflow)
-
Minor
-
Resolution: Duplicate
-
3.3.5
-
None
-
Fedora 38
Description
When connecting to a Unix socket, instead of providing a file path it would be nice
if Mariadb would support using an inherited file descriptor from the parent process.
Systemd can connect to a Unix socket and then let the started program (as defined by ExecStart= in the service unit) inherit this file descriptor. This improves security because
the process running MariaDB Connector/C does not need file access permission to the Unix socket.
The systemd directive OpenFile= was introduced in systemd 253
(released February 2023).
Man page:
https://www.freedesktop.org/software/systemd/man/systemd.service.html#OpenFile=
There is some example code at
https://mariadb.com/docs/skysql-previous-release/connect/programming-languages/c/connect/
about how to use MariaDB Connector/C to connect to MariaDB database products.
Here I replaced _ NULL_ with "/some/path"
// Connect to the database
if (!mysql_real_connect(
conn, // Connection
"example.skysql.net", // Host
"db_user", // User account
"db_user_password", // User password
"test", // Default database
5009, // Port number
"/some/path", // Path to socket file
0 // Additional options
))
Instead of specifying a path to the Unix socket there should be a way to specify the file descriptor name myfdname that was set in the systemd service unit
OpenFile=/some/path:myfdname
I don't know how to best introduce OpenFile= support in the API,
but just as an example there could be a new function
// Connect to the database
if (!mysql_real_connect_with_OpenFile(
conn, // Connection
"example.skysql.net", // Host
"db_user", // User account
"db_user_password", // User password
"test", // Default database
"myfdname", // OpenFile fdname
0 // Additional options
))
The file descriptor name is set by systemd in the environment variable LISTEN_FDNAMES (see https://www.freedesktop.org/software/systemd/man/sd_listen_fds.html).
A side-note: OpenFile= also supports opening normal files. If MariaDB Connector/C has a need to open files, such files could be passed to MariaDB Connector/C as file descriptors with OpenFile=