![](https://secure.gravatar.com/avatar/022f6d874ba7c163544b8ae60c16a1bc.jpg?s=120&d=mm&r=g)
This was relaxed in https://github.com/MariaDB/server/commit/27e6fd9a5968
where the setuid is only tried if mariadbd --user is specified.
This isn't the case with systemd service files (which set the user)
https://github.com/MariaDB/server/blob/10.5/support-files/mariadb.service.in...
where
the CAP_IPC_LOCK capability gives the user the memlock rather than setuid.
So maybe it is safe to drop the mysqld_t setgid setuid from the policy for
the common case of a user running systemd service which also works if they
are using memlock.
While we are looking at the list, assuming sys_resource maps to
CAP_SYS_RESOURCE that would only be raising the rlimit nofile, which is
done in the systemd service.
in the server code this is capped anyway -
https://github.com/MariaDB/server/blob/10.5/mysys/my_file.c#L42
sys_nice - seems to be related to a innodb setpriority(PRIO_PROCESS, tid,
-20), which isn't fatal if it doesn't succeed. no other CAP_SYS_NICE are
used.
Maybe we should have
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LimitNICE...
instead. Advice welcome.
allow mysqld_t self:shm create_shm_perms - not required in 10.5+ - shm no
longer used for large pages - anon mmap is used.
rw_fifo_file_perms - one test case created a fifo -
mysql-test/main/log_errchk.test, the server has some code to handle if log
files externally created are fifos, but it doesn't create them itself.
galera code mentions fifo's a lot, however its an internal structure.
Script
https://github.com/MariaDB/server/blob/10.5/scripts/wsrep_sst_mariabackup.sh...
mentios fifos, however this
appears to just be using pv to rate limit.
https://github.com/MariaDB/server/pull/1553 is probably needed too.
I see
https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules...
probably covers https://github.com/MariaDB/server/pull/1131.
On Fri, Mar 12, 2021 at 10:14 PM Sergei Golubchik
Hi, Lukas!
I found that setuid/setgid is used inside mysqld_safe_helper (mariadbd-safe-helper). Are there any other cases when MariaDB uses these functions?
Yes, in the server. If the server is started with --memlock it does
mlockall(MCL_CURRENT)
to prevent itself from being swapped. This needs root, and the server uses setuid/setgid to drop root privileges after mlockall.
Regards, Sergei VP of MariaDB Server Engineering and security@mariadb.org
_______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : maria-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp