Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-36229

MariaDB effectively running as root CAP_DAC_OVERRIDE

Details

    Description

      Hi,

      I tried to figure out why mariadbd actually can write in paths where only root has permissions and then I found

      https://github.com/MariaDB/server/blob/main/support-files/mariadb.service.in#L54

      Setting `AmbientCapabilities=CAP_DAC_OVERRIDE` is just as effective as running mariadbd as root.

      You can test it by changing permissions on /var/lib/mysql to root:root. Mariadbd can still write in that folder even though it should not have permissions

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. MDEV-36591 RHEL 8 (and compatible) + Ubuntu 20.04 cannot start systemd servce (EXIT_CAPABILTIES/218)

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          is caused by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-33301 memlock with systemd still not working even with MDEV-9095 fix

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-33301 memlock with systemd still not working even with MDEV-9095 fix

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            View 4 older comments
            serg Sergei Golubchik added a comment -

            eworm, not necessarily, but worry not, being a blocker it will, definitely, be in the next release. There's still time.

            serg Sergei Golubchik added a comment - eworm , not necessarily, but worry not, being a blocker it will, definitely, be in the next release. There's still time.
            eworm Christian Hesse added a comment -

            serg, yes, I have seen that. But it is in the current releases, and these are shipped by distributions already. Having some security implications here I would like to see this fixed sooner than later. Once it is merged I would push updated packages for Arch Linux.

            eworm Christian Hesse added a comment - serg , yes, I have seen that. But it is in the current releases, and these are shipped by distributions already. Having some security implications here I would like to see this fixed sooner than later. Once it is merged I would push updated packages for Arch Linux.
            serg Sergei Golubchik added a comment -

            got it, fair enough. we'll try to do it asap

            serg Sergei Golubchik added a comment - got it, fair enough. we'll try to do it asap
            cvicentiu Vicențiu Ciorbaru added a comment -

            Reviewed, the changes are ok, merged.

            cvicentiu Vicențiu Ciorbaru added a comment - Reviewed, the changes are ok, merged.
            eworm Christian Hesse added a comment -

            Thanks a lot! BTW, has CVE been assigned for this?

            eworm Christian Hesse added a comment - Thanks a lot! BTW, has CVE been assigned for this?

            People

              cvicentiu Vicențiu Ciorbaru
              Desdic Kim Gert Nielsen
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.