[#MDEV-10298] Improve systemd service hardening

[MDEV-10298] Improve systemd service hardening Created: 2016-06-28 Updated: 2021-08-06 Resolved: 2016-07-12
Status:	Closed
Project:	MariaDB Server
Component/s:	Scripts & Clients
Affects Version/s:	10.1.14
Fix Version/s:	10.1.16

Type:

Bug

Priority:

Major

Reporter:

Craig Andrews

Assignee:

Sergey Vojtovich

Resolution:

Fixed

Votes:

Labels:

contribution, foundation, patch, systemd

Environment:

systemd, Gentoo

Issue Links:

Problem/Incident
causes	~~MDEV-10399~~	custom tmpdir permission denied only ...	Closed
causes	~~MDEV-10404~~	Improved systemd service hardening ca...	Closed
causes	~~MDEV-10405~~	mysql.sock gets created with differen...	Closed
causes	~~MDEV-10519~~	MariaDB fails to start after upgrade ...	Closed
causes	~~MDEV-13207~~	PrivateDevices breaks systemd service...	Closed
causes	~~MDEV-13896~~	Upgraded to 10.2.8 on Centos 7.4 ibda...	Closed
causes	~~MDEV-26317~~	Distributed mariadb.service Systed se...	Closed

Sprint:

1.0.2

Description

It would be nice to use more of systemd's hardening features:

ProtectSystem=full

NoNewPrivileges=true

PrivateDevices=true

ProtectHome=true

I tested these settings and didn't experience any problems in my (admitted limited) setup. I think they should be fine for anyone except for exceptional and odd situations. For the (very rare) impacted user, they can always override the systemd service - but a secure configuration should be the default.

Comments

Comment by Craig Andrews [ 2016-06-28 ]

https://github.com/MariaDB/server/pull/195

Comment by Sergey Vojtovich [ 2016-07-12 ]

serg, could you also have a look at this patch? Yet I couldn't foresee any problems that it may cause.

Comment by Sergei Golubchik [ 2016-07-12 ]

ok to push

Generated at Thu Feb 08 07:41:09 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-10298] Improve systemd service hardening Created: 2016-06-28 Updated: 2021-08-06 Resolved: 2016-07-12