1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
From bf66e7d610de0d7d3651742342c01ed9ff93f363 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Wed, 19 Feb 2020 13:10:17 +0100
Subject: [PATCH 1/3] enable PrivateTmp for a little bit more security
---
support-files/mariadb.service.in | 2 +-
support-files/mariadb@.service.in | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in
index e7665ed1219..a1fe69d61c4 100644
--- a/support-files/mariadb.service.in
+++ b/support-files/mariadb.service.in
@@ -129,7 +129,7 @@ UMask=007
# If you don't use the /tmp directory for SELECT ... OUTFILE and
# LOAD DATA INFILE you can enable PrivateTmp=true for a little more security.
-PrivateTmp=false
+PrivateTmp=true
# Set an explicit Start and Stop timeout of 900 seconds (15 minutes!)
# this is the same value as used in SysV init scripts in the past
diff --git a/support-files/mariadb@.service.in b/support-files/mariadb@.service.in
index ffefc2f22d8..f8b0b8aad8d 100644
--- a/support-files/mariadb@.service.in
+++ b/support-files/mariadb@.service.in
@@ -241,7 +241,7 @@ UMask=007
# If you don't use the /tmp directory for SELECT ... OUTFILE and
# LOAD DATA INFILE you can enable PrivateTmp=true for a little more security.
-PrivateTmp=false
+PrivateTmp=true
# Set an explicit Start and Stop timeout of 900 seconds (15 minutes!)
# this is the same value as used in SysV init scripts in the past
From 00aab78891a19a14a92039fcc6a73e391a3bb471 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Wed, 19 Feb 2020 13:10:46 +0100
Subject: [PATCH 2/3] force preloading jemalloc for memory management
---
support-files/mariadb.service.in | 1 +
support-files/mariadb@.service.in | 1 +
2 files changed, 2 insertions(+)
diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in
index a1fe69d61c4..9a2941ae917 100644
--- a/support-files/mariadb.service.in
+++ b/support-files/mariadb.service.in
@@ -159,6 +159,7 @@ LimitNOFILE=16364
# Library substitutions. previously [mysqld_safe] malloc-lib with explicit paths
# (in LD_LIBRARY_PATH) and library name (in LD_PRELOAD).
# Environment="LD_LIBRARY_PATH=/path1 /path2" "LD_PRELOAD=
+Environment="LD_PRELOAD=/usr/lib/libjemalloc.so"
# Flush caches. previously [mysqld_safe] flush-caches=1
# ExecStartPre=sync
diff --git a/support-files/mariadb@.service.in b/support-files/mariadb@.service.in
index f8b0b8aad8d..3309127330c 100644
--- a/support-files/mariadb@.service.in
+++ b/support-files/mariadb@.service.in
@@ -282,6 +282,7 @@ LimitNOFILE=16364
# Library substitutions. previously [mysqld_safe] malloc-lib with explicit paths
# (in LD_LIBRARY_PATH) and library name (in LD_PRELOAD).
# Environment="LD_LIBRARY_PATH=/path1 /path2" "LD_PRELOAD=
+Environment="LD_PRELOAD=/usr/lib/libjemalloc.so"
# Flush caches. previously [mysqld_safe] flush-caches=1
# ExecStartPre=sync
From a78ff18c83a5eb2556d4f3716f13786dcd8395d2 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Wed, 19 Feb 2020 13:11:31 +0100
Subject: [PATCH 3/3] Make systemd-tmpfiles create MYSQL_DATADIR
This is a no-op if the directory exists, but makes sure it is created by
systemd-tmpfiles with proper permissions otherwise.
This solves packaging issues when the user MYSQLD_USER is created by
systemd-sysusers and uid is not known in advance.
Also this now sets the No_COW attribute.
---
support-files/tmpfiles.conf.in | 2 +
1 file changed, 2 insertion(+)
diff --git a/support-files/tmpfiles.conf.in b/support-files/tmpfiles.conf.in
index 03d66abc0c7..3c89cb258c9 100644
--- a/support-files/tmpfiles.conf.in
+++ b/support-files/tmpfiles.conf.in
@@ -1 +1,3 @@
d @MYSQL_UNIX_DIR@ 0755 @MYSQLD_USER@ @MYSQLD_USER@ -
+d @MYSQL_DATADIR@ 0700 @MYSQLD_USER@ @MYSQLD_USER@ -
+h @MYSQL_DATADIR@ - - - - +C
|