3262458610
Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/923533 OBS-URL: https://build.opensuse.org/package/show/server:database/mariadb?expand=0&rev=281
83 lines
2.4 KiB
SYSTEMD
83 lines
2.4 KiB
SYSTEMD
# It's not recommended to modify this unit file because your changes
|
|
# would be overwritten during the package update.
|
|
#
|
|
# However, there are 2 methods how to customize this unit file:
|
|
#
|
|
# 1) Copy this unit file from /usr/lib/systemd/system to
|
|
# /etc/systemd/system and modify the chosen settings.
|
|
#
|
|
# 2) Create a directory named mariadb.service.d/ within /etc/systemd/system
|
|
# and place a drop-in file name.conf there that only changes the specific
|
|
# settings one is interested in.
|
|
#
|
|
# see systemd.unit(5) for details
|
|
#
|
|
# Example - increasing of the TimeoutSec= limit
|
|
# mkdir /etc/systemd/system/mariadb.service.d
|
|
# cat > /etc/systemd/system/mariadb.service.d/timeout.conf << EOF
|
|
# [Service]
|
|
# TimeoutSec=600
|
|
# EOF
|
|
|
|
[Unit]
|
|
Description=MariaDB database server
|
|
Documentation=man:mysqld(8)
|
|
Documentation=https://mariadb.com/kb/en/library/systemd/
|
|
Conflicts=mariadb.target
|
|
After=network.target time-sync.target
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
Alias=mysql.service
|
|
|
|
[Service]
|
|
ExecStartPre=@LIBEXECDIR@/mysql/mysql-systemd-helper install
|
|
ExecStartPre=@LIBEXECDIR@/mysql/mysql-systemd-helper upgrade
|
|
ExecStart=@LIBEXECDIR@/mysql/mysql-systemd-helper start
|
|
|
|
Type=notify
|
|
User=mysql
|
|
Group=mysql
|
|
|
|
KillSignal=SIGTERM
|
|
|
|
# Don't want to see an automated SIGKILL ever
|
|
SendSIGKILL=no
|
|
|
|
# Restart crashed server only, on-failure would also restart, for example, when
|
|
# my.cnf contains unknown option
|
|
Restart=on-abort
|
|
RestartSec=5s
|
|
|
|
# Configures the time to wait for start-up/stop
|
|
TimeoutSec=300
|
|
|
|
# CAP_IPC_LOCK To allow memlock to be used as non-root user
|
|
# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
|
|
# does nothing for non-root, not needed if /etc/shadow is u+r
|
|
# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
|
|
CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
|
|
|
|
# Prevent writes to /usr, /boot, and /etc
|
|
ProtectSystem=full
|
|
|
|
# Prevent accessing /home, /root and /run/user
|
|
ProtectHome=true
|
|
# added automatically, for details please see
|
|
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
|
PrivateDevices=true
|
|
ProtectHostname=true
|
|
ProtectClock=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelLogs=true
|
|
ProtectControlGroups=true
|
|
RestrictRealtime=true
|
|
# end of automatic additions
|
|
|
|
# Execute pre and post scripts as root, otherwise it does it as User=
|
|
PermissionsStartOnly=true
|
|
|
|
UMask=007
|
|
|