Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-37861

UNIX socket file is always created with 0777 permissions, ignores UMask and has no configuration option

    XMLWordPrintable

Details

    • Bug
    • Status: Needs Feedback (View Workflow)
    • Major
    • Resolution: Unresolved
    • 11.8.3
    • None
    • Debian 13.1 (trixie) , MariaDB 11.8.3

    Description

      When starting MariaDB (tested with 11.8.3, Debian 13.1/systemd), the UNIX socket file `/run/mysqld/mysqld.sock` is *always created with permissions 0777 (srwxrwxrwx), regardless of any UMask setting in the systemd unit or shell, and there is **no way to restrict this via configuration*.

      *Steps to reproduce:*

      • Use a clean installation of MariaDB 11.8.3 on Debian (also reproducible in WSL and probably other distros).
      • The default (Debian) systemd unit at `/lib/systemd/system/mariadb.service` sets `UMask=007` by default.
      • Start or restart MariaDB.
      • The socket file is always created with 0777 permissions.
      • Setting UMask in systemd override (e.g., `UMask=0027`, `UMask=077`), or changing the shell umask before manual startup, has *no effect*.
      • No (documented) MariaDB option allows changing the socket file mode.

      *Expected behavior:*

      • The UNIX socket file should respect the UMask setting (from systemd unit or shell).
      • Alternatively, there should be a configuration option to restrict permissions to e.g. 0770 or 0660, following the principle of least privilege, as is common in other daemons (Postgres, Redis, Dovecot, ...).

      *Why this is a problem:*

      • The socket is world-accessible, allowing *any local user* to attempt connecting, even if not in the `mysql` group.
      • This may violate site security policies and contradicts the intention of packaging/systemd defaults.
      • There is no documentation warning about this issue or offering a workaround.

      *Notes:*

      • Issue confirmed on multiple Debian Trixie installs (physical & WSL), with no manual configuration.
      • I found several Jira issues about UMASK for data directories (e.g. MDEV-17637, MDEV-23058), but nothing for socket file permissions.
      • The same issue was reported years ago upstream in MySQL Bug #15105, but is now even more relevant with widespread systemd adoption.

      See also:
      Debian Bug #1117874 (confirmed by Debian maintainers, not patched downstream)

      Attachments

        Issue Links

          Activity

            People

              danblack Daniel Black
              phonon112358 Aaron Schaal
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.