[MDEV-36229] MariaDB effectively running as root CAP_DAC_OVERRIDE - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 10.5.25
Fix Version/s: 10.5.29, 10.6.22, 10.11.12, 11.4.6, 11.8.2
Component/s: Server
Labels:

Description

Hi,

I tried to figure out why mariadbd actually can write in paths where only root has permissions and then I found

https://github.com/MariaDB/server/blob/main/support-files/mariadb.service.in#L54

Setting `AmbientCapabilities=CAP_DAC_OVERRIDE` is just as effective as running mariadbd as root.

You can test it by changing permissions on /var/lib/mysql to root:root. Mariadbd can still write in that folder even though it should not have permissions

Attachments

Issue Links

causes

MDEV-36591 RHEL 8 (and compatible) + Ubuntu 20.04 cannot start systemd servce (EXIT_CAPABILTIES/218)

Closed

is caused by

MDEV-33301 memlock with systemd still not working even with MDEV-9095 fix

Closed

relates to

MDEV-33301 memlock with systemd still not working even with MDEV-9095 fix

Closed

Activity

People

Assignee:: Vicențiu Ciorbaru

Reporter:: Kim Gert Nielsen

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 2025-03-05 20:06

Updated:: 2025-04-25 15:48

Resolved:: 2025-03-26 08:26

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.