Details
-
Bug
-
Status: Needs Feedback (View Workflow)
-
Major
-
Resolution: Unresolved
-
11.8.3
-
None
-
Debian 13.1 (trixie) , MariaDB 11.8.3
Description
When starting MariaDB (tested with 11.8.3, Debian 13.1/systemd), the UNIX socket file `/run/mysqld/mysqld.sock` is *always created with permissions 0777 (srwxrwxrwx), regardless of any UMask setting in the systemd unit or shell, and there is **no way to restrict this via configuration*.
*Steps to reproduce:*
- Use a clean installation of MariaDB 11.8.3 on Debian (also reproducible in WSL and probably other distros).
- The default (Debian) systemd unit at `/lib/systemd/system/mariadb.service` sets `UMask=007` by default.
- Start or restart MariaDB.
- The socket file is always created with 0777 permissions.
- Setting UMask in systemd override (e.g., `UMask=0027`, `UMask=077`), or changing the shell umask before manual startup, has *no effect*.
- No (documented) MariaDB option allows changing the socket file mode.
*Expected behavior:*
- The UNIX socket file should respect the UMask setting (from systemd unit or shell).
- Alternatively, there should be a configuration option to restrict permissions to e.g. 0770 or 0660, following the principle of least privilege, as is common in other daemons (Postgres, Redis, Dovecot, ...).
*Why this is a problem:*
- The socket is world-accessible, allowing *any local user* to attempt connecting, even if not in the `mysql` group.
- This may violate site security policies and contradicts the intention of packaging/systemd defaults.
- There is no documentation warning about this issue or offering a workaround.
*Notes:*
- Issue confirmed on multiple Debian Trixie installs (physical & WSL), with no manual configuration.
- I found several Jira issues about UMASK for data directories (e.g.
MDEV-17637,MDEV-23058), but nothing for socket file permissions. - The same issue was reported years ago upstream in MySQL Bug #15105, but is now even more relevant with widespread systemd adoption.
See also:
Debian Bug #1117874 (confirmed by Debian maintainers, not patched downstream)
Attachments
Issue Links
- relates to
-
MDEV-17637 New systemd-aware script to re-create datadir
-
- Closed
-
- links to