Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-36229

MariaDB effectively running as root CAP_DAC_OVERRIDE

Details

    Description

      Hi,

      I tried to figure out why mariadbd actually can write in paths where only root has permissions and then I found

      https://github.com/MariaDB/server/blob/main/support-files/mariadb.service.in#L54

      Setting `AmbientCapabilities=CAP_DAC_OVERRIDE` is just as effective as running mariadbd as root.

      You can test it by changing permissions on /var/lib/mysql to root:root. Mariadbd can still write in that folder even though it should not have permissions

      Attachments

        Issue Links

          is caused by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-33301 memlock with systemd still not working even with MDEV-9095 fix

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-33301 memlock with systemd still not working even with MDEV-9095 fix

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            knielsen Kristian Nielsen added a comment -

            danblack Maybe you can take a look at this?

            It looks like it was introduced by the below patch. I'm not an expert on capabilities and systemd, but from a quick look at the docs, it seems AmbientCapabilities grants the listed capabilities to the process. That was not the intention with CapabilityBoundingSet, which limits the set of capabitilies, not grants any extra. So probably CAP_DAC_OVERRIDE should not be specified in AmbientCapabilities?

            commit 76a27155b4cd8174e900577dd01df2db1327b120
            		 
            Author: Daniel Black <daniel@mariadb.org>
            		 
            Date:   Wed Mar 20 18:25:21 2024 +1100
            		 
             
            		 
                MDEV-33301 memlock with systemd still not working
            		 
             
            		 
            diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in
            		 
            index ee5b5ddc427..dce845a9f72 100644
            		 
            --- a/support-files/mariadb.service.in
            		 
            +++ b/support-files/mariadb.service.in
            		 
            @@ -51,7 +51,7 @@ Group=mysql
            		 
             # CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
            		 
             #   does nothing for non-root, not needed if /etc/shadow is u+r
            		 
             # CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
            		 
            -CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
            		 
            +AmbientCapabilities=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE

            knielsen Kristian Nielsen added a comment - danblack Maybe you can take a look at this? It looks like it was introduced by the below patch. I'm not an expert on capabilities and systemd, but from a quick look at the docs, it seems AmbientCapabilities grants the listed capabilities to the process. That was not the intention with CapabilityBoundingSet, which limits the set of capabitilies, not grants any extra. So probably CAP_DAC_OVERRIDE should not be specified in AmbientCapabilities? commit 76a27155b4cd8174e900577dd01df2db1327b120 Author: Daniel Black <daniel@mariadb.org> Date: Wed Mar 20 18:25:21 2024 +1100   MDEV-33301 memlock with systemd still not working   diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in index ee5b5ddc427..dce845a9f72 100644 --- a/support-files/mariadb.service.in +++ b/support-files/mariadb.service.in @@ -51,7 +51,7 @@ Group=mysql # CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0 # does nothing for non-root, not needed if /etc/shadow is u+r # CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason -CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE +AmbientCapabilities=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
            danblack Daniel Black added a comment -

            Yikes,

            Yes, CapabilityBoundingSet, needs a setcap cap_XX+ep on the executables to gain the capabilities.

            I'm not sure if the auth_pam_tool users are mean to this. Its the integration expection seem a bit value here.

            But absolutely, only CAP_IPC_LOCK was intended to be ambient.

            danblack Daniel Black added a comment - Yikes, Yes, CapabilityBoundingSet, needs a setcap cap_XX+ep on the executables to gain the capabilities. I'm not sure if the auth_pam_tool users are mean to this. Its the integration expection seem a bit value here. But absolutely, only CAP_IPC_LOCK was intended to be ambient.
            danblack Daniel Black added a comment -

            for review https://github.com/MariaDB/server/pull/3873

            danblack Daniel Black added a comment - for review https://github.com/MariaDB/server/pull/3873

            People

              cvicentiu Vicențiu Ciorbaru
              Desdic Kim Gert Nielsen
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.