[MDEV-14707] systemd: remove PermissionsStartOnly=true (by removing environment _WSREP_START_POSITION) - Jira

Details

Type: Task
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Fix Version/s: 11.6.0
Component/s: Scripts & Clients
Labels:
- systemd

Description

If we could replace this with another mechanism we can run as the ordinary User= and make the scripts less vulnerable to CVEs.

This will also enable a multi-instance where each user is different without the complication of re-acquiring the systemd user for the service.

Attachments

Issue Links

relates to

MDEV-19210 use environment file in systemd units for _WSREP_*

Closed

MDEV-10004 Galera's pc.recovery process fails in 10.1 with systemd

Closed

MDEV-11494 galera_recovery script hard-codes the user

Closed

Activity

Ascending order - Click to sort in descending order

Daniel Black created issue - 2017-12-19 04:38

Daniel Black made changes - 2017-12-19 04:38

Field	Original Value	New Value
Link		This issue relates to ~~MDEV-10004~~ [ ~~MDEV-10004~~ ]

Sergei Golubchik made changes - 2018-02-14 15:48

Description

~~MDEV-10004~~ introduced _WSREP_START_POSITION{,%I} as a mechanism to store the mysqld arguments required to recover after crashes. This 'systemctl set-environment' is the only operations that requires PermissionsStartOnly=true in the service file.

If we could replace this with another mechanism we can run as the ordinary User= and make the scripts less vulnerable to CVEs.

This will also enable a multi-instance where each user is different without the complication of re-acquiring the systemd user for the service.

~~MDEV-10004~~ introduced _WSREP_START_POSITION\{,%I} as a mechanism to store the mysqld arguments required to recover after crashes. This 'systemctl set-environment' is the only operations that requires PermissionsStartOnly=true in the service file.

If we could replace this with another mechanism we can run as the ordinary User= and make the scripts less vulnerable to CVEs.

This will also enable a multi-instance where each user is different without the complication of re-acquiring the systemd user for the service.

Daniel Black made changes - 2018-02-22 06:04

Link

This issue relates to ~~MDEV-11494~~ [ ~~MDEV-11494~~ ]

Sergei Golubchik made changes - 2019-03-29 12:04

Fix Version/s

10.4 [ 22408 ]

Sergei Golubchik made changes - 2019-04-10 07:58

Labels

systemd

Daniel Black made changes - 2020-07-29 04:14

Assignee

Daniel Black [ danblack ]

Sergei Golubchik made changes - 2021-12-06 21:21

Workflow

MariaDB v3 [ 84507 ]

MariaDB v4 [ 130758 ]

Daniel Black made changes - 2022-02-02 03:19

Link

This issue relates to ~~MDEV-19210~~ [ ~~MDEV-19210~~ ]

Julien Fritsch made changes - 2023-04-27 14:23

Fix Version/s

10.3 [ 22126 ]

Daniel Black made changes - 2025-01-09 01:34

Component/s		Scripts & Clients [ 11002 ]
Fix Version/s		11.6.0 [ 29839 ]
Fix Version/s	10.4(EOL) [ 22408 ]
Resolution		Fixed [ 1 ]
Status	Open [ 1 ]	Closed [ 6 ]

People

Assignee:: Daniel Black

Reporter:: Daniel Black

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2017-12-19 04:38

Updated:: 2025-01-09 01:34

Resolved:: 2025-01-09 01:34

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration