diff --git a/cmake/systemd.cmake b/cmake/systemd.cmake index a093b89f3c8..404441be747 100644 --- a/cmake/systemd.cmake +++ b/cmake/systemd.cmake @@ -57,6 +57,15 @@ MACRO(CHECK_SYSTEMD) # ProtectSystem=full prevents it ReadWritePaths=-${MYSQL_DATADIR}\n") ENDIF() + # systemd version 245 (Ubuntu 20.04) and less cannot + # handle ambient capbilities on non-root processes + # 247 (Debian 11) is a version afterwards that is known to work. + IF(LIBSYSTEMD_VERSION VERSION_GREATER_EQUAL 247) + SET(SYSTEMD_AMBIENT_CAPABILITIES +"# CAP_IPC_LOCK To allow --memlock to be used as non-root user +AmbientCapabilities=CAP_IPC_LOCK +") + ENDIF() MESSAGE_ONCE(systemd "Systemd features enabled") ELSE() diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in index f53a0b8ceda..7ae0278dc44 100644 --- a/support-files/mariadb.service.in +++ b/support-files/mariadb.service.in @@ -47,10 +47,7 @@ PrivateNetwork=false User=mysql Group=mysql -# CAP_IPC_LOCK To allow memlock to be used as non-root user -# These are enabled by default -AmbientCapabilities=CAP_IPC_LOCK - +@SYSTEMD_AMBIENT_CAPABILITIES@ # CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0 # does nothing for non-root, not needed if /etc/shadow is u+r # CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason diff --git a/support-files/mariadb@.service.in b/support-files/mariadb@.service.in index cb5e885e1aa..4095f04b800 100644 --- a/support-files/mariadb@.service.in +++ b/support-files/mariadb@.service.in @@ -177,10 +177,7 @@ PrivateNetwork=false ## Package maintainers ## -# CAP_IPC_LOCK To allow memlock to be used as non-root user -# These are enabled by default -AmbientCapabilities=CAP_IPC_LOCK - +@SYSTEMD_AMBIENT_CAPABILITIES@ # CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0 # does nothing for non-root, not needed if /etc/shadow is u+r # CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason