Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 587416

Summary: dev-db/mysql-init-scripts: systemd hardening
Product: Gentoo Linux Reporter: Craig Andrews <candrews>
Component: Current packagesAssignee: Gentoo Linux MySQL bugs team <mysql-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: candrews
Priority: Normal Keywords: PATCH
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Craig Andrews gentoo-dev 2016-06-28 15:04:20 UTC 
dev-db/mysql-init-scripts's systemd services, mysqld.service and mysqld@.service, should use systemd's hardening features:

# To allow memlock to be used as non-root user if set in configuration
CapabilityBoundingSet=CAP_IPC_LOCK
ProtectSystem=full (or at least true)
NoNewPrivileges=true
PrivateDevices=true
ProtectHome=true
UMask=007

I tested these settings and didn't experience any problems in my (admitted limited) setup. I think they should be fine for anyone except for exceptional and odd situations. For the (very rare) impacted user, they can always override the systemd service - but a secure configuration should be the default.
Comment 1 Craig Andrews gentoo-dev 2016-06-28 15:11:20 UTC 
https://github.com/gentoo/gentoo/pull/1784
Comment 2 Brian Evans (RETIRED) gentoo-dev 2016-06-28 16:03:47 UTC 
Please also test this with the latest MariaDB with a galera cluster configuration (USE=galera with >=dev-db/mariadb-10.1.0)

Galera will pull remote files via rsync or xtrabackup and is meant to be a common setup.  I don't want to harden too much.
Comment 3 Brian Evans (RETIRED) gentoo-dev 2016-06-28 16:05:31 UTC 
https://mariadb.com/kb/en/mariadb/getting-started-with-mariadb-galera-cluster/ for info on how to set a cluster up.
Comment 4 Brian Evans (RETIRED) gentoo-dev 2016-07-20 16:34:58 UTC 
Since MariaDB upstream committed these options, I've added them with mysql-init-scripts-2.1-r1