SECURITY IMPORTANCE - recommend reading for systemd packaging

tldr: https://jira.mariadb.org/browse/MDEV-36229

Thanks for sharing Otto,

Note the IPC Lock commit https://salsa.debian.org/mariadb-team/mariadb-server/-/commit/172c7d3fa579e5365fd0e048f8d655b5e83e848e

was something I reverted on https://github.com/MariaDB/server/pull/3157 after an obscure case of using env OPENSSL_CONF to control settings was incompatible with any setcap cap_ipc_lock+ep on the  mariadbd executable.

With https://jira.mariadb.org/browse/MDEV-36229 that came in a a few hours ago, I think that
CAP_DAC_OVERRIDE CAP_AUDIT_WRITE moving with CAP_IPC_LOCK to AmbientCapabilities was probably a mistake.

In the systemd  service files the following probably a much safer option. This is the one I'm considering.

CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
AmbientCapabilities=CAP_IPC_LOCK


If packagers truly want a safe option probably:

CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE

This is better though that means users have a choice of env OPENSSL_CONFIG or --memlock depending on if they use secap themself on the executable.

Noting I haven't looked strongly at how the Debian PAM needs DAC/AUDIT_WRITE beyond the systemd service file comments.

Short of arguing with OpenSSL devs about AT_SECURITY (oh wait, I did - https://github.com/openssl/openssl/issues/21770) I couldn't see an easy packaging resolution.

Thanks for your attention to packaging MariaDB.

On Thu, 6 Mar 2025 at 02:30, Otto Kekäläinen via packagers <packagers@lists.mariadb.org> wrote:
>
> Hi!
>
> As packaging occasionally requires some decisions of what to include
> or exclude, I wanted to share to other packagers here what we ended up
> doing for the official Debian and Ubuntu repositoriesÖ
>
>
> The next uploads in line are ready for review at:
>
> https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/102
> Prepare MariaDB Server 1:11.4.5-1 minor maintenance release for Debian unstable
>
> https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/98
> Prepare MariaDB Server 1:10.11.11-0+deb12u1 minor maintenance release
> for Debian stable (Bookworm)
>
> https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/106
> Prepare upload to MariaDB 10.11.9 to Ubuntu 24.04 "Noble"
>
> https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/96
> Prepare upload to MariaDB 10.6.19 to Ubuntu 22.04 "Jammy"
>
> https://salsa.debian.org/mariadb-team/mariadb-10.5/-/merge_requests/20
> New upstream version MariaDB 10.5.28 for Debian 11 "Bullseye"
>
>
> So far we haven't encountered any regressions, so all good!
>
> - Otto
> _______________________________________________
> packagers mailing list -- packagers@lists.mariadb.org
> To unsubscribe send an email to packagers-leave@lists.mariadb.org