Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-10298

Improve systemd service hardening

Details

    • 1.0.2

    Description

      It would be nice to use more of systemd's hardening features:

      ProtectSystem=full
      		 
      NoNewPrivileges=true
      		 
      PrivateDevices=true
      		 
      ProtectHome=true

      I tested these settings and didn't experience any problems in my (admitted limited) setup. I think they should be fine for anyone except for exceptional and odd situations. For the (very rare) impacted user, they can always override the systemd service - but a secure configuration should be the default.

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. MDEV-10399 custom tmpdir permission denied only in 10.1.16

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-10404 Improved systemd service hardening causes SELinux problems

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-10405 mysql.sock gets created with different SELinux context

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-10519 MariaDB fails to start after upgrade from 10.1.14 - 10.1.16 (InnoDB Encryption)

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-13207 PrivateDevices breaks systemd service on Debian 8.8

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-13896 Upgraded to 10.2.8 on Centos 7.4 ibdata error

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-26317 Distributed mariadb.service Systed service file prevents start with default datadir

          • Major - Major loss of function.
          • Closed
          links to

          Web Link another issue caused by this one

          Web Link GitHub Pull Request #195

          Activity

            Ascending order - Click to sort in descending order
            candrews Craig Andrews added a comment -

            https://github.com/MariaDB/server/pull/195

            candrews Craig Andrews added a comment - https://github.com/MariaDB/server/pull/195
            svoj Sergey Vojtovich added a comment -

            serg, could you also have a look at this patch? Yet I couldn't foresee any problems that it may cause.

            svoj Sergey Vojtovich added a comment - serg , could you also have a look at this patch? Yet I couldn't foresee any problems that it may cause.
            serg Sergei Golubchik added a comment -

            ok to push

            serg Sergei Golubchik added a comment - ok to push

            People

              svoj Sergey Vojtovich
              candrews Craig Andrews
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.